fix potential buffer overflow when txt records are forged
[project/mdnsd.git] / service.c
1 /*
2  * Copyright (C) 2014 John Crispin <blogic@openwrt.org>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU Lesser General Public License version 2.1
6  * as published by the Free Software Foundation
7  *
8  * This program is distributed in the hope that it will be useful,
9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11  * GNU General Public License for more details.
12  */
13
14 #include <sys/types.h>
15 #include <arpa/nameser.h>
16 #include <sys/socket.h>
17
18 #include <resolv.h>
19 #include <glob.h>
20 #include <stdio.h>
21 #include <time.h>
22
23 #include <uci.h>
24 #include <uci_blob.h>
25
26 #include <libubox/vlist.h>
27 #include <libubox/uloop.h>
28 #include <libubox/avl-cmp.h>
29 #include <libubox/blobmsg_json.h>
30
31 #include "dns.h"
32 #include "service.h"
33 #include "util.h"
34 #include "interface.h"
35
36 enum {
37         SERVICE_PORT,
38         SERVICE_TXT,
39         __SERVICE_MAX,
40 };
41
42 struct service {
43         struct vlist_node node;
44
45         time_t t;
46
47         const char *service;
48         const char *daemon;
49         const uint8_t *txt;
50         int txt_len;
51         int port;
52         int active;
53 };
54
55 static const struct blobmsg_policy service_policy[__SERVICE_MAX] = {
56         [SERVICE_PORT] = { .name = "port", .type = BLOBMSG_TYPE_INT32 },
57         [SERVICE_TXT] = { .name = "txt", .type = BLOBMSG_TYPE_ARRAY },
58 };
59
60 static void
61 service_update(struct vlist_tree *tree, struct vlist_node *node_new,
62                struct vlist_node *node_old);
63
64 static struct blob_buf b;
65 static VLIST_TREE(services, avl_strcmp, service_update, false, false);
66 static char *sdudp =  "_services._dns-sd._udp.local";
67 static char *sdtcp =  "_services._dns-sd._tcp.local";
68
69 static const char *
70 service_name(const char *domain)
71 {
72         static char buffer[256];
73
74         snprintf(buffer, sizeof(buffer), "%s.%s", mdns_hostname, domain);
75
76         return buffer;
77 }
78
79 static void
80 service_add_ptr(const char *host)
81 {
82         int len = dn_comp(host, mdns_buf, sizeof(mdns_buf), NULL, NULL);
83
84         if (len < 1)
85                 return;
86
87         dns_add_answer(TYPE_PTR, mdns_buf, len);
88 }
89
90 static void
91 service_add_srv(struct service *s)
92 {
93         struct dns_srv_data *sd = (struct dns_srv_data *) mdns_buf;
94         int len = sizeof(*sd);
95
96         len += dn_comp(mdns_hostname_local, mdns_buf + len, sizeof(mdns_buf) - len, NULL, NULL);
97         if (len <= sizeof(*sd))
98                 return;
99
100         sd->port = cpu_to_be16(s->port);
101         dns_add_answer(TYPE_SRV, mdns_buf, len);
102 }
103
104 #define TOUT_LOOKUP     60
105
106 static int
107 service_timeout(struct service *s)
108 {
109         time_t t = time(NULL);
110
111         if (t - s->t <= TOUT_LOOKUP)
112                 return 0;
113
114         s->t = t;
115
116         return 1;
117 }
118
119 void
120 service_reply_a(struct interface *iface, int type)
121 {
122         if (type != TYPE_A)
123                 return;
124
125         dns_init_answer();
126         dns_add_answer(TYPE_A, (uint8_t *) &iface->v4_addr.s_addr, 4);
127         dns_send_answer(iface, mdns_hostname_local);
128 }
129
130 void
131 service_reply(struct interface *iface, const char *match)
132 {
133         struct service *s;
134
135         vlist_for_each_element(&services, s, node) {
136                 const char *host = service_name(s->service);
137                 char *service = strstr(host, "._");
138
139                 if (!s->active || !service || !service_timeout(s))
140                         continue;
141
142                 service++;
143
144                 if (match && strcmp(match, s->service))
145                         continue;
146
147                 dns_init_answer();
148                 service_add_ptr(service_name(s->service));
149                 dns_send_answer(iface, service);
150
151                 dns_init_answer();
152                 service_add_srv(s);
153                 if (s->txt && s->txt_len)
154                         dns_add_answer(TYPE_TXT, (uint8_t *) s->txt, s->txt_len);
155                 dns_send_answer(iface, host);
156         }
157
158         if (match)
159                 return;
160
161         service_reply_a(iface, TYPE_A);
162 }
163
164 void
165 service_announce_services(struct interface *iface, const char *service)
166 {
167         struct service *s;
168         int tcp = 1;
169
170         if (!strcmp(service, sdudp))
171                 tcp = 0;
172         else if (strcmp(service, sdtcp))
173                 return;
174
175         vlist_for_each_element(&services, s, node) {
176                 if (!strstr(s->service, "._tcp") && tcp)
177                         continue;
178                 if (!strstr(s->service, "._udp") && !tcp)
179                         continue;
180                 s->t = 0;
181                 dns_init_answer();
182                 service_add_ptr(s->service);
183                 if (tcp)
184                         dns_send_answer(iface, sdtcp);
185                 else
186                         dns_send_answer(iface, sdudp);
187                 service_reply(iface, s->service);
188         }
189 }
190
191 void
192 service_announce(struct interface *iface)
193 {
194         service_announce_services(iface, sdudp);
195         service_announce_services(iface, sdtcp);
196 }
197
198 static void
199 service_update(struct vlist_tree *tree, struct vlist_node *node_new,
200                struct vlist_node *node_old)
201 {
202         struct service *s;
203
204         if (!node_old)
205                 return;
206
207         s = container_of(node_old, struct service, node);
208         free(s);
209 }
210
211 static void
212 service_load(char *path)
213 {
214         struct blob_attr *txt, *cur, *_tb[__SERVICE_MAX];
215         int rem, i;
216         glob_t gl;
217
218         if (glob(path, GLOB_NOESCAPE | GLOB_MARK, NULL, &gl))
219                 return;
220
221         for (i = 0; i < gl.gl_pathc; i++) {
222                 blob_buf_init(&b, 0);
223
224                 if (!blobmsg_add_json_from_file(&b, gl.gl_pathv[i]))
225                         continue;
226                 blob_for_each_attr(cur, b.head, rem) {
227                         struct service *s;
228                         char *d_service, *d_daemon;
229                         uint8_t *d_txt;
230                         int rem2;
231                         int txt_len = 0;
232
233                         blobmsg_parse(service_policy, ARRAY_SIZE(service_policy),
234                                 _tb, blobmsg_data(cur), blobmsg_data_len(cur));
235                         if (!_tb[SERVICE_PORT] || !_tb[SERVICE_TXT])
236                                 continue;
237
238                         blobmsg_for_each_attr(txt, _tb[SERVICE_TXT], rem2)
239                                 txt_len += 1 + strlen(blobmsg_get_string(txt));
240
241                         s = calloc_a(sizeof(*s),
242                                 &d_daemon, strlen(gl.gl_pathv[i]) + 1,
243                                 &d_service, strlen(blobmsg_name(cur)) + 1,
244                                 &d_txt, txt_len);
245                         if (!s)
246                                 continue;
247
248                         s->port = blobmsg_get_u32(_tb[SERVICE_PORT]);
249                         s->service = strcpy(d_service, blobmsg_name(cur));
250                         s->daemon = strcpy(d_daemon, gl.gl_pathv[i]);
251                         s->active = 1;
252                         s->t = 0;
253                         s->txt_len = txt_len;
254                         s->txt = d_txt;
255
256                         blobmsg_for_each_attr(txt, _tb[SERVICE_TXT], rem2) {
257                                 int len = strlen(blobmsg_get_string(txt));
258                                 if (!len)
259                                         continue;
260                                 if (len > 0xff)
261                                         len = 0xff;
262                                 *d_txt = len;
263                                 d_txt++;
264                                 memcpy(d_txt, blobmsg_get_string(txt), len);
265                                 d_txt += len;
266                         }
267
268                         vlist_add(&services, &s->node, s->service);
269                 }
270         }
271 }
272
273 void
274 service_init(void)
275 {
276         get_hostname();
277
278         vlist_update(&services);
279         service_load("/tmp/run/mdnsd/*");
280         vlist_flush(&services);
281 }
282
283 void
284 service_cleanup(void)
285 {
286         vlist_flush(&services);
287         blob_buf_free(&b);
288 }