apps/low-level-can-service.git
9 years agoFine-tune the readme
Petteri Aimonen [Sat, 26 Sep 2015 09:47:34 +0000 (12:47 +0300)]
Fine-tune the readme

9 years agoClean up the python2/python3 string type handling
Petteri Aimonen [Sat, 26 Sep 2015 09:32:12 +0000 (12:32 +0300)]
Clean up the python2/python3 string type handling

9 years agoMerge pull request #170 from kylemanna/travis-ci
Petteri Aimonen [Sat, 26 Sep 2015 09:21:08 +0000 (12:21 +0300)]
Merge pull request #170 from kylemanna/travis-ci

Add Travis CI Support

9 years agoMerge pull request #169 from kylemanna/python3
Petteri Aimonen [Sat, 26 Sep 2015 09:08:55 +0000 (12:08 +0300)]
Merge pull request #169 from kylemanna/python3

Add proper Python3 support to the generator

9 years agoSetting version to 0.3.5-dev
Petteri Aimonen [Sat, 26 Sep 2015 09:07:08 +0000 (12:07 +0300)]
Setting version to 0.3.5-dev

9 years agoPublishing nanopb-0.3.4
Petteri Aimonen [Sat, 26 Sep 2015 08:23:59 +0000 (11:23 +0300)]
Publishing nanopb-0.3.4

9 years agoAdd initialization to examples/simple
Petteri Aimonen [Thu, 24 Sep 2015 17:32:29 +0000 (20:32 +0300)]
Add initialization to examples/simple

9 years agoMerge pull request #171 from kylemanna/misc
Petteri Aimonen [Tue, 22 Sep 2015 04:24:21 +0000 (07:24 +0300)]
Merge pull request #171 from kylemanna/misc

decode: Fix compiler issue with gcc-5

9 years agodecode: Fix compiler issue with gcc-5
Kyle Manna [Mon, 21 Sep 2015 18:03:12 +0000 (11:03 -0700)]
decode: Fix compiler issue with gcc-5

* gcc 5.0 and 5.1 appear to take issue with this line and generates the
  following error:

    /home/nitro/tmp/nanopb/pb_decode.c: In function ‘pb_decode_noinit’:
    /home/nitro/tmp/nanopb/pb_decode.c:889:60: error: conversion to ‘uint8_t {aka unsigned char}’ from ‘int’ may alter its value [-Werror=conversion]
                 fields_seen[iter.required_field_index >> 3] |= (uint8_t)(1 << (iter.required_field_index & 7));
                                                                ^
* This seems like a compiler bug, but this workaround is harmless.

9 years agotravis-ci: Use protobuf v3 as it adds python3
Kyle Manna [Mon, 21 Sep 2015 16:04:11 +0000 (09:04 -0700)]
travis-ci: Use protobuf v3 as it adds python3

* Still in testing currently.

9 years agotravis-ci: Build C/C++/Python matrix
Kyle Manna [Mon, 21 Sep 2015 05:58:54 +0000 (22:58 -0700)]
travis-ci: Build C/C++/Python matrix

* Test a number of C compilers
* Travis CI can't handle three languages (C, C++, Python)
* Add support for swapping python2/3 binaries
* Scons has made no attempts to support python3 yet:
* Build the matrix manually
* Scons doesn't inherit $CC/$CXX from parent environement,
  so pass compiler flags directly

9 years agogenerator: Use search $PATH for python
Kyle Manna [Mon, 21 Sep 2015 15:16:17 +0000 (08:16 -0700)]
generator: Use search $PATH for python

* Search $PATH for the python binary so that this works better with
  things like virtualenv as used on Travis CI

9 years agotravis-ci: Initial working build
Kyle Manna [Mon, 21 Sep 2015 04:49:48 +0000 (21:49 -0700)]
travis-ci: Initial working build

* Initial working build for Travis CI build system.

9 years agogenerator: Fix strange unicode/str issue in python2
Kyle Manna [Mon, 21 Sep 2015 01:39:45 +0000 (18:39 -0700)]
generator: Fix strange unicode/str issue in python2

* Work around this by checking the appropriate class for the given
* environment.

9 years agogenerator: Attempt to simplify the str/unicode madness
Kyle Manna [Mon, 21 Sep 2015 00:22:25 +0000 (17:22 -0700)]
generator: Attempt to simplify the str/unicode madness

* This is a shot in the dark.

9 years agogenerator: Strings are utf-8 by default in python3
Kyle Manna [Sat, 19 Sep 2015 22:13:05 +0000 (15:13 -0700)]
generator: Strings are utf-8 by default in python3

* Not sure how to handle this case in python2, seems to work
* Python 3 doesn't need this since all strings are utf-8

9 years agogenerator: Remove cmp() to work with Python3
Kyle Manna [Sat, 19 Sep 2015 22:03:13 +0000 (15:03 -0700)]
generator: Remove cmp() to work with Python3

* Python3 ignores cmp() and __cmp__() and only needs __lt__() for
  sorting.  Delete and update as appropriate.
* Ref: https://docs.python.org/3.0/whatsnew/3.0.html#ordering-comparisons

9 years agogenerator: More exhaustive field size checking
Kyle Manna [Sat, 19 Sep 2015 21:36:55 +0000 (14:36 -0700)]
generator: More exhaustive field size checking

Create a FieldMaxSize class that:
* Accumlates all C assertions
* Handles the checking of the longest simple field
* Also python3 doesn't support max(None)

9 years agogenerator: Use python2/3 binary read/write method
Kyle Manna [Sat, 19 Sep 2015 21:30:21 +0000 (14:30 -0700)]
generator: Use python2/3 binary read/write method

* This works with python2 and python3

9 years agogenerator: Run python's 2to3 converter
Kyle Manna [Sat, 19 Sep 2015 21:12:36 +0000 (14:12 -0700)]
generator: Run python's 2to3 converter

* Invoked with `2to3 -w nanopb_generator.py`
* No other changes.

9 years agocmake: Don't explicitly look for python2
Kyle Manna [Sat, 19 Sep 2015 22:19:28 +0000 (15:19 -0700)]
cmake: Don't explicitly look for python2

* Use the system python binary and make sure the generator works with
  both instead.

9 years agogenerator: Don't force python2
Kyle Manna [Sat, 19 Sep 2015 21:42:03 +0000 (14:42 -0700)]
generator: Don't force python2

Python2 is being phased out of the default python interpreter.  Arch
Linux has moved some time ago and upcoming Debian realeases will follow.

My distro, Arch, doesn't have a python2-protobuf version, but does have
a python3 version.  With a python 2 & 3 compatible generator the exact
interpreter can be ignored and can use the system default as most users
expect.

Update issue #155

9 years agoUpdate changelog
Petteri Aimonen [Sun, 20 Sep 2015 11:37:39 +0000 (14:37 +0300)]
Update changelog

9 years agoAdd syntax specification to .proto files (issue #167)
Petteri Aimonen [Sun, 20 Sep 2015 11:12:19 +0000 (14:12 +0300)]
Add syntax specification to .proto files (issue #167)

Eliminates a warning on protoc 3.0.

9 years agoFix maximum encoded size for negative enums (issue #166).
Petteri Aimonen [Sun, 13 Sep 2015 08:38:54 +0000 (11:38 +0300)]
Fix maximum encoded size for negative enums (issue #166).

9 years agoMake the generator understand included files (issue #165).
Petteri Aimonen [Sat, 12 Sep 2015 12:45:37 +0000 (15:45 +0300)]
Make the generator understand included files (issue #165).

This will allow message sizes and enum options to be available
across the include files.

Currently searching for .options files for included files may
not work for all path combinations, this is related to issue #116.
Should probably make a pull request to protoc about that.

9 years agoRefactor the generator logic into a ProtoFile class.
Petteri Aimonen [Sat, 12 Sep 2015 11:46:00 +0000 (14:46 +0300)]
Refactor the generator logic into a ProtoFile class.

In preparation for multi-file support in generator.
No functional changes yet.

9 years agoExpand the multiple_files test case to include oneofs and enums
Petteri Aimonen [Sat, 12 Sep 2015 10:27:56 +0000 (13:27 +0300)]
Expand the multiple_files test case to include oneofs and enums

9 years agoFix handling of unsigned 8- or 16-bit enums.
Petteri Aimonen [Sat, 12 Sep 2015 10:04:22 +0000 (13:04 +0300)]
Fix handling of unsigned 8- or 16-bit enums.

Previously unsigned enums would throw errors on decoding if the value
went outside the signed range (issue #164).

Currently only helps for enums defined within the same file, but solving
issue #165 will make it work for multiple files also.

9 years agoAdd testcase for issue #164
Petteri Aimonen [Sat, 12 Sep 2015 09:16:58 +0000 (12:16 +0300)]
Add testcase for issue #164

9 years agoAdd packed_enum option to generator.
Petteri Aimonen [Sat, 12 Sep 2015 09:15:27 +0000 (12:15 +0300)]
Add packed_enum option to generator.

This can be generally useful for saving RAM, but also makes
it easier to test for issue #164.

9 years agoAdd note about running tests on Mac OS X
Petteri Aimonen [Sat, 11 Jul 2015 06:23:47 +0000 (09:23 +0300)]
Add note about running tests on Mac OS X

9 years agoAdd link to forum to the readme
Petteri Aimonen [Wed, 1 Jul 2015 16:48:43 +0000 (19:48 +0300)]
Add link to forum to the readme

9 years agoMerge pull request #157 from ivankravets/patch-1
Petteri Aimonen [Wed, 17 Jun 2015 10:08:23 +0000 (13:08 +0300)]
Merge pull request #157 from ivankravets/patch-1

Specify additional fields for @PlatformIO Registry

9 years agoSpecify additional fields for @PlatformIO Registry
Ivan Kravets [Wed, 17 Jun 2015 10:05:01 +0000 (13:05 +0300)]
Specify additional fields for @PlatformIO Registry

9 years agoMerge pull request #156 from ncolomer/master
Petteri Aimonen [Tue, 16 Jun 2015 11:58:25 +0000 (14:58 +0300)]
Merge pull request #156 from ncolomer/master

PlatformIO Library Registry manifest file

9 years agoPlatformIO Library Registry manifest file
Nicolas Colomer [Tue, 16 Jun 2015 11:47:34 +0000 (13:47 +0200)]
PlatformIO Library Registry manifest file

9 years agoAdd download link to readme
Petteri Aimonen [Thu, 7 May 2015 16:59:56 +0000 (19:59 +0300)]
Add download link to readme

9 years agoFix for previous (issue #155)
Petteri Aimonen [Tue, 28 Apr 2015 15:16:51 +0000 (18:16 +0300)]
Fix for previous (issue #155)

9 years agoPrefer python2 in generator/protoc-gen-nanopb.
Petteri Aimonen [Tue, 28 Apr 2015 15:14:24 +0000 (18:14 +0300)]
Prefer python2 in generator/protoc-gen-nanopb.

Update issue 155
Status: FixedInGit

9 years agoSetting version to 0.3.4-dev
Petteri Aimonen [Fri, 10 Apr 2015 18:07:25 +0000 (21:07 +0300)]
Setting version to 0.3.4-dev

9 years agoPublishing nanopb-0.3.3
Petteri Aimonen [Fri, 10 Apr 2015 17:46:33 +0000 (20:46 +0300)]
Publishing nanopb-0.3.3

9 years agoSwitch to .tar.gz format for Mac OS X packages.
Petteri Aimonen [Wed, 8 Apr 2015 15:38:03 +0000 (18:38 +0300)]
Switch to .tar.gz format for Mac OS X packages.

Update issue 154
Status: FixedInGit

9 years agoFix problem with plugin options on Python 2.7.2 and older.
Petteri Aimonen [Wed, 8 Apr 2015 15:05:25 +0000 (18:05 +0300)]
Fix problem with plugin options on Python 2.7.2 and older.

Update issue 153
Status: FixedInGit

9 years agoUpdate changelog
Petteri Aimonen [Fri, 3 Apr 2015 18:14:06 +0000 (21:14 +0300)]
Update changelog

9 years agoClear callbacks for union fields.
Petteri Aimonen [Fri, 3 Apr 2015 18:07:14 +0000 (21:07 +0300)]
Clear callbacks for union fields.

Update issue 148
Status: FixedInGit

9 years agoFix for test case build rules
Petteri Aimonen [Fri, 3 Apr 2015 18:00:57 +0000 (21:00 +0300)]
Fix for test case build rules

9 years agoImprove comment support in .options files.
Petteri Aimonen [Fri, 3 Apr 2015 17:43:13 +0000 (20:43 +0300)]
Improve comment support in .options files.

Update issue 145
Status: FixedInGit

9 years agoAlways define enum long names so that cross-file references work.
Petteri Aimonen [Fri, 3 Apr 2015 17:08:05 +0000 (20:08 +0300)]
Always define enum long names so that cross-file references work.

Update issue 118
Status: FixedInGit

9 years agoAdd basic docs for msgid functionality
Petteri Aimonen [Fri, 3 Apr 2015 16:46:57 +0000 (19:46 +0300)]
Add basic docs for msgid functionality

9 years agoGenerate #defines for plain message ids
Petteri Aimonen [Fri, 3 Apr 2015 16:44:23 +0000 (19:44 +0300)]
Generate #defines for plain message ids

9 years agoAdd simple test case for message ids
Petteri Aimonen [Sun, 22 Mar 2015 09:19:43 +0000 (11:19 +0200)]
Add simple test case for message ids

9 years agoUse make_identifier() to create the name for FOO_MESSAGES define.
Petteri Aimonen [Sun, 22 Mar 2015 09:17:57 +0000 (11:17 +0200)]
Use make_identifier() to create the name for FOO_MESSAGES define.

This handles special charaters like in "my-file.proto" properly.
Also use headerbasename instead of full path, so that compiling files
with relative path doesn't create symbols like FOO/BAR/BAZ_MESSAGES.

9 years agonanopb_generator.py: emit macros for msgid message type id use
Michael Haberler [Sun, 22 Mar 2015 01:18:24 +0000 (02:18 +0100)]
nanopb_generator.py: emit macros for msgid message type id use

9 years agonanopb.proto: add msgid message-level option
Michael Haberler [Sun, 22 Mar 2015 01:17:30 +0000 (02:17 +0100)]
nanopb.proto: add msgid message-level option

9 years agoFix oneof submessage initialization bug.
Petteri Aimonen [Sat, 7 Mar 2015 08:25:09 +0000 (10:25 +0200)]
Fix oneof submessage initialization bug.

Update issue 149
Status: FixedInGit

9 years agoBetter error messages for syntax errors in .options file
Petteri Aimonen [Thu, 26 Feb 2015 16:16:25 +0000 (18:16 +0200)]
Better error messages for syntax errors in .options file

9 years agoFix generator error when long_names:false is combined with Oneofs.
Petteri Aimonen [Thu, 26 Feb 2015 15:33:36 +0000 (17:33 +0200)]
Fix generator error when long_names:false is combined with Oneofs.

Update issue 147
Status: FixedInGit

9 years agoInclude libprotobuf in linux binary package.
Petteri Aimonen [Sun, 22 Feb 2015 13:28:26 +0000 (15:28 +0200)]
Include libprotobuf in linux binary package.

Previously this got included by bbfreeze, but apparently no more.

Update issue 146
Status: FixedInGit

9 years agoLower required CMake version in example
Petteri Aimonen [Fri, 13 Feb 2015 16:57:46 +0000 (18:57 +0200)]
Lower required CMake version in example

9 years agoUpdate cmake_simple example readme
Petteri Aimonen [Fri, 13 Feb 2015 16:42:35 +0000 (18:42 +0200)]
Update cmake_simple example readme

9 years agoAdd simple example built with CMake
Oliver Lee [Fri, 13 Feb 2015 16:28:27 +0000 (17:28 +0100)]
Add simple example built with CMake

9 years agoFix search for Python 2 with CMake
Oliver Lee [Fri, 13 Feb 2015 16:14:00 +0000 (17:14 +0100)]
Fix search for Python 2 with CMake

Do not assume that Python has already been found by CMake. Fix value of
CMake variable PYTHON_EXECUTABLE if Python 3 was found. Change minimum
supported Python version to 2.6.

This fixes a bug introduced by this commit:
d8d3b75e2e3b348d016f48cebc1be764061975d2

9 years agoUpdates for the CMake rule file.
Oliver Lee [Fri, 13 Feb 2015 09:26:31 +0000 (10:26 +0100)]
Updates for the CMake rule file.

1) Search explicitly for python2.7

In systems where python3 is default or in build cases where the user has
already searched for and found python3 in CMake, store the python3
executable and search for python2.7.

2) Generate nanopb core protobuf files with CMake

Generate python output files used in turn by the nanopb generator
script. This removes the requirement of manually calling 'make' in the
nanopb/generator/proto directory.

3) Use nanopb options file if it exists

Look for nanopb options file and use in protobuf source and header
generation if it exists. The options file must have the same name and
path as the proto file, excluding the extension.

9 years agoFix generator bug when oneof is first field in a message.
Petteri Aimonen [Tue, 27 Jan 2015 15:47:25 +0000 (17:47 +0200)]
Fix generator bug when oneof is first field in a message.

Added test case for the same.

Update issue 142
Status: FixedInGit

9 years agoSetting version to nanopb-0.3.3-dev
Petteri Aimonen [Sat, 24 Jan 2015 15:40:42 +0000 (17:40 +0200)]
Setting version to nanopb-0.3.3-dev

9 years agoPublishing nanopb-0.3.2
Petteri Aimonen [Sat, 24 Jan 2015 15:33:01 +0000 (17:33 +0200)]
Publishing nanopb-0.3.2

9 years agoFix encoded_size #defines for oneof messages.
Petteri Aimonen [Fri, 23 Jan 2015 19:29:29 +0000 (21:29 +0200)]
Fix encoded_size #defines for oneof messages.

The sizes are represented as EncodedSize() instances, which cause
max() operation to sort them by address instead of value. This caused
pretty much random item to be selected for the maximum.

Update issue 141
Status: FixedInGit

9 years agoUpdate changelog
Petteri Aimonen [Thu, 15 Jan 2015 17:34:49 +0000 (19:34 +0200)]
Update changelog

9 years agoFix clang compiler warning in intsizes unit test.
Petteri Aimonen [Thu, 15 Jan 2015 17:18:48 +0000 (19:18 +0200)]
Fix clang compiler warning in intsizes unit test.

9 years agoRelease memory when overwriting oneof fields.
Petteri Aimonen [Thu, 15 Jan 2015 16:58:08 +0000 (18:58 +0200)]
Release memory when overwriting oneof fields.

Update issue 131
Status: FixedInGit

9 years agoAdd oneofs to AllTypes test case
Petteri Aimonen [Sun, 11 Jan 2015 17:47:27 +0000 (19:47 +0200)]
Add oneofs to AllTypes test case

9 years agoBugfixes for oneof support.
Petteri Aimonen [Sun, 11 Jan 2015 17:46:15 +0000 (19:46 +0200)]
Bugfixes for oneof support.

Fixes crashes / memory leaks when using pointer type fields.
Also fixes initialization of which_oneof fields.

9 years agoNew generator options for oneofs: allow skipping or generating as normal 'optional...
Petteri Aimonen [Sun, 11 Jan 2015 17:38:05 +0000 (19:38 +0200)]
New generator options for oneofs: allow skipping or generating as normal 'optional' fields.

The behaviour with no_unions:true is the same as of nanopb 0.3.1 and earlier.

9 years agoFix generator error with OneOfs
Petteri Aimonen [Wed, 7 Jan 2015 16:59:44 +0000 (18:59 +0200)]
Fix generator error with OneOfs

9 years agoAllow using 8/16/32/64 as values in int_size setting
Petteri Aimonen [Mon, 5 Jan 2015 20:32:34 +0000 (22:32 +0200)]
Allow using 8/16/32/64 as values in int_size setting

9 years agoActually make the protoc version check work
Petteri Aimonen [Sun, 4 Jan 2015 18:20:40 +0000 (20:20 +0200)]
Actually make the protoc version check work

9 years agoOnly run oneof test when protoc >= 2.6 is available
Petteri Aimonen [Sun, 4 Jan 2015 18:00:37 +0000 (20:00 +0200)]
Only run oneof test when protoc >= 2.6 is available

9 years agoFix build failure
Petteri Aimonen [Sun, 4 Jan 2015 17:48:09 +0000 (19:48 +0200)]
Fix build failure

9 years agoImplement support for oneofs (C unions).
Petteri Aimonen [Sun, 4 Jan 2015 17:39:37 +0000 (19:39 +0200)]
Implement support for oneofs (C unions).

Basic test included, should probably add an oneof to the AllTypes test also.

Update issue 131
Status: Started

9 years agoDetect too large varint values when decoding.
Petteri Aimonen [Sun, 4 Jan 2015 10:04:24 +0000 (12:04 +0200)]
Detect too large varint values when decoding.

Because Issue #139 now allows limiting integer fields, it is good
to check the values received from other protobuf libraries against
the lower limits.

9 years agoAdd int_size option for generator.
Petteri Aimonen [Sun, 4 Jan 2015 09:36:42 +0000 (11:36 +0200)]
Add int_size option for generator.

This allows overriding the integer field types to e.g. uint8_t for
saving RAM.

Update issue 139
Status: FixedInGit

9 years agoChange PB_RETURN_ERROR() macro to avoid compiler warnings.
Petteri Aimonen [Sat, 3 Jan 2015 08:59:19 +0000 (10:59 +0200)]
Change PB_RETURN_ERROR() macro to avoid compiler warnings.

Update issue 140
Status: FixedInGit

9 years agoFix build failure due to missing dependency in SConscript
Petteri Aimonen [Fri, 26 Dec 2014 22:37:59 +0000 (00:37 +0200)]
Fix build failure due to missing dependency in SConscript

9 years agoFix memory leaks with PB_ENABLE_MALLOC and certain submessage type combinations.
Petteri Aimonen [Fri, 26 Dec 2014 21:14:39 +0000 (23:14 +0200)]
Fix memory leaks with PB_ENABLE_MALLOC and certain submessage type combinations.

There was a memory leak when:

1) A statically allocated submessage or
2) an extension field submessage

contained

A) a pointer-type field or
B) a submessage that further contained a pointer-type field.

This was because pb_release() didn't recurse into non-pointer fields.

Update issue 138
Status: FixedInGit

9 years agoInitialize also extension fields to defaults in pb_decode().
Petteri Aimonen [Fri, 26 Dec 2014 21:13:07 +0000 (23:13 +0200)]
Initialize also extension fields to defaults in pb_decode().

This makes the behaviour more consistent with non-extension fields,
and also makes sure that all 'found' fields of extensions are initially
false.

9 years agoFix bug in backwards_compatibility test case.
Petteri Aimonen [Fri, 26 Dec 2014 21:03:04 +0000 (23:03 +0200)]
Fix bug in backwards_compatibility test case.

The memset() filled also the extensions field, which was just
waiting for a crash to happen.

9 years agoAdd testcase for releasing memory in submessages/extensions
Petteri Aimonen [Fri, 26 Dec 2014 16:24:23 +0000 (18:24 +0200)]
Add testcase for releasing memory in submessages/extensions

9 years agoAdd support for POINTER type in extensions
Petteri Aimonen [Fri, 26 Dec 2014 16:23:36 +0000 (18:23 +0200)]
Add support for POINTER type in extensions

9 years agoInclude the field type in a comment for extension fields
Petteri Aimonen [Fri, 26 Dec 2014 15:43:38 +0000 (17:43 +0200)]
Include the field type in a comment for extension fields

9 years agoMove malloc support to tests/common directory
Petteri Aimonen [Fri, 26 Dec 2014 15:34:45 +0000 (17:34 +0200)]
Move malloc support to tests/common directory

9 years agoMove malloc_wrappers.c to tests/common
Petteri Aimonen [Fri, 26 Dec 2014 15:08:17 +0000 (17:08 +0200)]
Move malloc_wrappers.c to tests/common

9 years agoVerify build with protobuf-3.0.0, fix problems.
Petteri Aimonen [Mon, 22 Dec 2014 20:52:36 +0000 (22:52 +0200)]
Verify build with protobuf-3.0.0, fix problems.

Also updated descriptor.proto from protobuf-3.0.0.

9 years agoAdd compilation option to disable struct packing.
Petteri Aimonen [Mon, 22 Dec 2014 18:52:40 +0000 (20:52 +0200)]
Add compilation option to disable struct packing.

Update issue 136
Status: FixedInGit

10 years agoSet version to nanopb-0.3.2-dev
Petteri Aimonen [Tue, 16 Sep 2014 17:41:45 +0000 (20:41 +0300)]
Set version to nanopb-0.3.2-dev

10 years agoPublishing nanopb-0.3.1
Petteri Aimonen [Thu, 11 Sep 2014 16:36:14 +0000 (19:36 +0300)]
Publishing nanopb-0.3.1

10 years agoUpdate changelog
Petteri Aimonen [Thu, 11 Sep 2014 16:26:32 +0000 (19:26 +0300)]
Update changelog

10 years agoAdd a fuzz testing stub for ability to use external generators also
Petteri Aimonen [Thu, 11 Sep 2014 14:58:53 +0000 (17:58 +0300)]
Add a fuzz testing stub for ability to use external generators also

10 years agoProtect against size_t overflows in pb_dec_bytes/pb_dec_string.
Petteri Aimonen [Mon, 8 Sep 2014 14:34:16 +0000 (17:34 +0300)]
Protect against size_t overflows in pb_dec_bytes/pb_dec_string.

Possible consequences of bug:
1) Denial of service by causing a crash
   Possible when all of the following apply:
      - Untrusted data is passed to pb_decode()
      - The top-level message contains a static string field as the first field.
   Causes a single write of '0' byte to 1 byte before the message struct.

2) Remote code execution
   Possible when all of the following apply:
      - 64-bit platform
      - The message or a submessage contains a static/pointer string field.
      - Decoding directly from a custom pb_istream_t
      - bytes_left on the stream is set to larger than 4 GB
   Causes a write of up to 4 GB of data past the string field.

3) Possible heap corruption or remote code execution
   Possible when all of the following apply:
      - less than 64-bit platform
      - The message or a submessage contains a pointer-type bytes field.
   Causes a write of sizeof(pb_size_t) bytes of data past a 0-byte long
   malloc()ed buffer. On many malloc() implementations, this causes at
   most a crash. However, remote code execution through a controlled jump
   cannot be ruled out.

--

Detailed analysis follows

In the following consideration, I define "platform bitness" as equal to
number of bits in size_t datatype. Therefore most 8-bit platforms are
regarded as 16-bit for the purposes of this discussion.

1. The overflow in pb_dec_string

The overflow happens in this computation:

uint32_t size;
size_t alloc_size;
alloc_size = size + 1;

There are two ways in which the overflow can occur: In the uint32_t
addition, or in the cast to size_t. This depends on the platform
bitness.

On 32- and 64-bit platforms, the size has to be UINT32_MAX for the
overflow to occur. In that case alloc_size will be 0.

On 16-bit platforms, overflow will happen whenever size is more than
UINT16_MAX, and resulting alloc_size is attacker controlled.

For static fields, the alloc_size value is just checked against the
field data size. For pointer fields, the alloc_size value is passed to
malloc(). End result in both cases is the same, the storage is 0 or
just a few bytes in length.

On 16-bit platforms, another overflow occurs in the call to pb_read(),
when passing the original size. An attacker will want the passed value
to be larger than the alloc_size, therefore the only reasonable choice
is to have size = UINT16_MAX and alloc_size = 0. Any larger multiple
will truncate to the same values.

At this point we have read atleast the tag and the string length of the
message, i.e. atleast 3 bytes. The maximum initial value for stream
bytes_left is SIZE_MAX, thus at this point at most SIZE_MAX-3 bytes are
remaining.

On 32-bit and 16-bit platforms this means that the size passed to
pb_read() is always larger than the number of remaining bytes. This
causes pb_read() to fail immediately, before reading any bytes.

On 64-bit platforms, it is possible for the bytes_left value to be set
to a value larger than UINT32_MAX, which is the wraparound point in
size calculation. In this case pb_read() will succeed and write up to 4
GB of attacker controlled data over the RAM that comes after the string
field.

On all platforms, there is an unconditional write of a terminating null
byte. Because the size of size_t typically reflects the size of the
processor address space, a write at UINT16_MAX or UINT32_MAX bytes
after the string field actually wraps back to before the string field.
Consequently, on 32-bit and 16-bit platforms, the bug causes a single
write of '0' byte at one byte before the string field.

If the string field is in the middle of a message, this will just
corrupt other data in the message struct. Because the message contents
is attacker controlled anyway, this is a non-issue. However, if the
string field is the first field in the top-level message, it can
corrupt other data on the stack/heap before it. Typically a single '0'
write at a location not controlled by attacker is enough only for a
denial-of-service attack.

When using pointer fields and malloc(), the attacker controlled
alloc_size will cause a 0-size allocation to happen. By the same logic
as before, on 32-bit and 16-bit platforms this causes a '0' byte write
only. On 64-bit platforms, however, it will again allow up to 4 GB of
malicious data to be written over memory, if the stream length allows
the read.

2. The overflow in pb_dec_bytes

This overflow happens in the PB_BYTES_ARRAY_T_ALLOCSIZE macro:

The computation is done in size_t data type this time. This means that
an overflow is possible only when n is larger than SIZE_MAX -
offsetof(..). The offsetof value in this case is equal to
sizeof(pb_size_t) bytes.

Because the incoming size value is limited to 32 bits, no overflow can
happen here on 64-bit platforms.

The size will be passed to pb_read(). Like before, on 32-bit and 16-bit
platforms the read will always fail before writing anything.

This leaves only the write of bdest->size as exploitable. On statically
allocated fields, the size field will always be allocated, regardless
of alloc_size. In this case, no buffer overflow is possible here, but
user code could possibly use the attacker controlled size value and
read past a buffer.

If the field is allocated through malloc(), this will allow a write of
sizeof(pb_size_t) attacker controlled bytes to past a 0-byte long
buffer. In typical malloc implementations, this will either fit in
unused alignment padding area, or cause a heap corruption and a crash.
Under very exceptional situation it could allow attacker to influence
the behaviour of malloc(), possibly jumping into an attacker-controlled
location and thus leading to remote code execution.

10 years agoAdd just-to-be-sure check to allocate_field().
Petteri Aimonen [Mon, 8 Sep 2014 14:33:05 +0000 (17:33 +0300)]
Add just-to-be-sure check to allocate_field().

This check will help to detect bugs earlier, and is quite lightweight
compared to malloc() anyway.