system/core
| Revisión | b825f1148cc78fa853da964de2e7e2de1b3b03b2 (tree) |
|---|---|
| Tiempo | 2016-08-26 13:56:30 |
| Autor | Connor O'Brien <connoro@goog...> |
| Commiter | gitbuildkicker |
Fix vold vulnerability in FrameworkListener
Modify FrameworkListener to ignore commands that exceed the maximum
buffer length and send an error message.
Bug: 29831647
Change-Id: I9e57d1648d55af2ca0191bb47868e375ecc26950
Signed-off-by: Connor O'Brien <connoro@google.com>
(cherry picked from commit baa126dc158a40bc83c17c6d428c760e5b93fb1a)
(cherry picked from commit 470484d2a25ad432190a01d1c763b4b36db33c7e)
include/sysutils/FrameworkListener.h (diff)
libsysutils/src/FrameworkListener.cpp (diff)| @@ -32,6 +32,7 @@ private: | ||
| 32 | 32 | int mCommandCount; |
| 33 | 33 | bool mWithSeq; |
| 34 | 34 | FrameworkCommandCollection *mCommands; |
| 35 | + bool mSkipToNextNullByte; | |
| 35 | 36 | |
| 36 | 37 | public: |
| 37 | 38 | FrameworkListener(const char *socketName); |
| @@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) { | ||
| 49 | 49 | errorRate = 0; |
| 50 | 50 | mCommandCount = 0; |
| 51 | 51 | mWithSeq = withSeq; |
| 52 | + mSkipToNextNullByte = false; | |
| 52 | 53 | } |
| 53 | 54 | |
| 54 | 55 | bool FrameworkListener::onDataAvailable(SocketClient *c) { |
| @@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { | ||
| 59 | 60 | if (len < 0) { |
| 60 | 61 | SLOGE("read() failed (%s)", strerror(errno)); |
| 61 | 62 | return false; |
| 62 | - } else if (!len) | |
| 63 | + } else if (!len) { | |
| 63 | 64 | return false; |
| 64 | - if(buffer[len-1] != '\0') | |
| 65 | + } else if (buffer[len-1] != '\0') { | |
| 65 | 66 | SLOGW("String is not zero-terminated"); |
| 67 | + android_errorWriteLog(0x534e4554, "29831647"); | |
| 68 | + c->sendMsg(500, "Command too large for buffer", false); | |
| 69 | + mSkipToNextNullByte = true; | |
| 70 | + return false; | |
| 71 | + } | |
| 66 | 72 | |
| 67 | 73 | int offset = 0; |
| 68 | 74 | int i; |
| @@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { | ||
| 70 | 76 | for (i = 0; i < len; i++) { |
| 71 | 77 | if (buffer[i] == '\0') { |
| 72 | 78 | /* IMPORTANT: dispatchCommand() expects a zero-terminated string */ |
| 73 | - dispatchCommand(c, buffer + offset); | |
| 79 | + if (mSkipToNextNullByte) { | |
| 80 | + mSkipToNextNullByte = false; | |
| 81 | + } else { | |
| 82 | + dispatchCommand(c, buffer + offset); | |
| 83 | + } | |
| 74 | 84 | offset = i + 1; |
| 75 | 85 | } |
| 76 | 86 | } |
| 77 | 87 | |
| 88 | + mSkipToNextNullByte = false; | |
| 78 | 89 | return true; |
| 79 | 90 | } |
| 80 | 91 |
Fork