system/core
Revisión | 3fa15fd97eff37d424e7f548837a35f3d67400ff (tree) |
---|---|
Tiempo | 2019-10-16 23:35:22 |
Autor | Chih-Wei Huang <cwhuang@linu...> |
Commiter | Chih-Wei Huang |
Merge tag 'android-7.1.2_r39' into nougat-x86
Android 7.1.2 Release 39 (5787804)
@@ -58,23 +58,16 @@ public: | ||
58 | 58 | virtual ~SoftGateKeeper() { |
59 | 59 | } |
60 | 60 | |
61 | - virtual bool GetAuthTokenKey(const uint8_t **auth_token_key, | |
62 | - uint32_t *length) const { | |
61 | + virtual bool GetAuthTokenKey(const uint8_t** auth_token_key, uint32_t* length) const { | |
63 | 62 | if (auth_token_key == NULL || length == NULL) return false; |
64 | - uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; | |
65 | - memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); | |
66 | - | |
67 | - *auth_token_key = auth_token_key_copy; | |
63 | + *auth_token_key = key_.get(); | |
68 | 64 | *length = SIGNATURE_LENGTH_BYTES; |
69 | 65 | return true; |
70 | 66 | } |
71 | 67 | |
72 | - virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) { | |
68 | + virtual void GetPasswordKey(const uint8_t** password_key, uint32_t* length) { | |
73 | 69 | if (password_key == NULL || length == NULL) return; |
74 | - uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; | |
75 | - memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); | |
76 | - | |
77 | - *password_key = password_key_copy; | |
70 | + *password_key = key_.get(); | |
78 | 71 | *length = SIGNATURE_LENGTH_BYTES; |
79 | 72 | } |
80 | 73 |
@@ -219,6 +219,20 @@ int receive_packet(int s, struct dhcp_msg *msg) | ||
219 | 219 | * to construct the pseudo header used in the checksum calculation. |
220 | 220 | */ |
221 | 221 | dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); |
222 | + /* | |
223 | + * check validity of dhcp_size. | |
224 | + * 1) cannot be negative or zero. | |
225 | + * 2) src buffer contains enough bytes to copy | |
226 | + * 3) cannot exceed destination buffer | |
227 | + */ | |
228 | + if ((dhcp_size <= 0) || | |
229 | + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || | |
230 | + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { | |
231 | +#if VERBOSE | |
232 | + ALOGD("Malformed Packet"); | |
233 | +#endif | |
234 | + return -1; | |
235 | + } | |
222 | 236 | saddr = packet.ip.saddr; |
223 | 237 | daddr = packet.ip.daddr; |
224 | 238 | nread = ntohs(packet.ip.tot_len); |
@@ -84,6 +84,23 @@ static char16_t* allocFromUTF8(const char* u8str, size_t u8len) | ||
84 | 84 | return getEmptyString(); |
85 | 85 | } |
86 | 86 | |
87 | +static char16_t* allocFromUTF16(const char16_t* u16str, size_t u16len) { | |
88 | + if (u16len >= SIZE_MAX / sizeof(char16_t)) { | |
89 | + android_errorWriteLog(0x534e4554, "73826242"); | |
90 | + abort(); | |
91 | + } | |
92 | + | |
93 | + SharedBuffer* buf = SharedBuffer::alloc((u16len + 1) * sizeof(char16_t)); | |
94 | + ALOG_ASSERT(buf, "Unable to allocate shared buffer"); | |
95 | + if (buf) { | |
96 | + char16_t* str = (char16_t*)buf->data(); | |
97 | + memcpy(str, u16str, u16len * sizeof(char16_t)); | |
98 | + str[u16len] = 0; | |
99 | + return str; | |
100 | + } | |
101 | + return getEmptyString(); | |
102 | +} | |
103 | + | |
87 | 104 | // --------------------------------------------------------------------------- |
88 | 105 | |
89 | 106 | String16::String16() |
@@ -116,35 +133,9 @@ String16::String16(const String16& o, size_t len, size_t begin) | ||
116 | 133 | setTo(o, len, begin); |
117 | 134 | } |
118 | 135 | |
119 | -String16::String16(const char16_t* o) | |
120 | -{ | |
121 | - size_t len = strlen16(o); | |
122 | - SharedBuffer* buf = SharedBuffer::alloc((len+1)*sizeof(char16_t)); | |
123 | - ALOG_ASSERT(buf, "Unable to allocate shared buffer"); | |
124 | - if (buf) { | |
125 | - char16_t* str = (char16_t*)buf->data(); | |
126 | - strcpy16(str, o); | |
127 | - mString = str; | |
128 | - return; | |
129 | - } | |
130 | - | |
131 | - mString = getEmptyString(); | |
132 | -} | |
136 | +String16::String16(const char16_t* o) : mString(allocFromUTF16(o, strlen16(o))) {} | |
133 | 137 | |
134 | -String16::String16(const char16_t* o, size_t len) | |
135 | -{ | |
136 | - SharedBuffer* buf = SharedBuffer::alloc((len+1)*sizeof(char16_t)); | |
137 | - ALOG_ASSERT(buf, "Unable to allocate shared buffer"); | |
138 | - if (buf) { | |
139 | - char16_t* str = (char16_t*)buf->data(); | |
140 | - memcpy(str, o, len*sizeof(char16_t)); | |
141 | - str[len] = 0; | |
142 | - mString = str; | |
143 | - return; | |
144 | - } | |
145 | - | |
146 | - mString = getEmptyString(); | |
147 | -} | |
138 | +String16::String16(const char16_t* o, size_t len) : mString(allocFromUTF16(o, len)) {} | |
148 | 139 | |
149 | 140 | String16::String16(const String8& o) |
150 | 141 | : mString(allocFromUTF8(o.string(), o.size())) |
@@ -206,6 +197,11 @@ status_t String16::setTo(const char16_t* other) | ||
206 | 197 | |
207 | 198 | status_t String16::setTo(const char16_t* other, size_t len) |
208 | 199 | { |
200 | + if (len >= SIZE_MAX / sizeof(char16_t)) { | |
201 | + android_errorWriteLog(0x534e4554, "73826242"); | |
202 | + abort(); | |
203 | + } | |
204 | + | |
209 | 205 | SharedBuffer* buf = SharedBuffer::bufferFromData(mString) |
210 | 206 | ->editResize((len+1)*sizeof(char16_t)); |
211 | 207 | if (buf) { |
@@ -228,7 +224,12 @@ status_t String16::append(const String16& other) | ||
228 | 224 | } else if (otherLen == 0) { |
229 | 225 | return NO_ERROR; |
230 | 226 | } |
231 | - | |
227 | + | |
228 | + if (myLen >= SIZE_MAX / sizeof(char16_t) - otherLen) { | |
229 | + android_errorWriteLog(0x534e4554, "73826242"); | |
230 | + abort(); | |
231 | + } | |
232 | + | |
232 | 233 | SharedBuffer* buf = SharedBuffer::bufferFromData(mString) |
233 | 234 | ->editResize((myLen+otherLen+1)*sizeof(char16_t)); |
234 | 235 | if (buf) { |
@@ -249,7 +250,12 @@ status_t String16::append(const char16_t* chrs, size_t otherLen) | ||
249 | 250 | } else if (otherLen == 0) { |
250 | 251 | return NO_ERROR; |
251 | 252 | } |
252 | - | |
253 | + | |
254 | + if (myLen >= SIZE_MAX / sizeof(char16_t) - otherLen) { | |
255 | + android_errorWriteLog(0x534e4554, "73826242"); | |
256 | + abort(); | |
257 | + } | |
258 | + | |
253 | 259 | SharedBuffer* buf = SharedBuffer::bufferFromData(mString) |
254 | 260 | ->editResize((myLen+otherLen+1)*sizeof(char16_t)); |
255 | 261 | if (buf) { |