[IOT-2786] ignore wrong ACE version in ACL 21/22721/2
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Fri, 6 Oct 2017 20:59:16 +0000 (13:59 -0700)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Tue, 17 Oct 2017 16:30:26 +0000 (16:30 +0000)
The current parsing code will accept a v1 ACE in a V2 /acl payload
and vice versa.  It should at least ignore and skip the wrong-version
ACE.

Change-Id: I9cb3fc84671afe25a730484e4fb2904a0d3c5c95
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
resource/csdk/security/src/aclresource.c

index 1d903a4..2152240 100644 (file)
@@ -1589,7 +1589,11 @@ static OicSecAcl_t* CBORPayloadToAclVersionOpt(const uint8_t *cborPayload, const
                                 // subjectuuid
                                 if (0 == strcmp(name, OIC_JSON_SUBJECTID_NAME)) // ace v1
                                 {
-                                    if (cbor_value_is_text_string(&aceMap))
+                                    if (OIC_SEC_ACL_V2 == aclistVersion)
+                                    {
+                                        OIC_LOG_V(WARNING, TAG, "%s v1 ACE subject tag found in v2 aclist2, skipping!", __func__);
+                                    }
+                                    else if (cbor_value_is_text_string(&aceMap))
                                     {
                                         char *subject = NULL;
                                         cborFindResult = cbor_value_dup_text_string(&aceMap, &subject, &tempLen, NULL);
@@ -1622,7 +1626,11 @@ static OicSecAcl_t* CBORPayloadToAclVersionOpt(const uint8_t *cborPayload, const
                                     memset(&subjectMap, 0, sizeof(subjectMap));
                                     size_t unusedLen = 0;
 
-                                    if (cbor_value_is_container(&aceMap))
+                                    if (OIC_SEC_ACL_V1 == aclistVersion)
+                                    {
+                                        OIC_LOG_V(WARNING, TAG, "%s v2 ACE subject tag found in v1 aclist, skipping!", __func__);
+                                    }
+                                    else if (cbor_value_is_container(&aceMap))
                                     {
                                         // next container within subject is either didtype, roletype, or conntype
                                         cborFindResult = cbor_value_enter_container(&aceMap, &subjectMap);