system/core
Revision | 1742a00bf40ea0d3d818b4c96d7557b25a711d4a (tree) |
---|---|
Zeit | 2018-02-13 12:33:04 |
Autor | Chih-Wei Huang <cwhuang@linu...> |
Commiter | Chih-Wei Huang |
Merge remote-tracking branch 'lineage/cm-14.1' into cm-14.1-x86
@@ -219,6 +219,20 @@ int receive_packet(int s, struct dhcp_msg *msg) | ||
219 | 219 | * to construct the pseudo header used in the checksum calculation. |
220 | 220 | */ |
221 | 221 | dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); |
222 | + /* | |
223 | + * check validity of dhcp_size. | |
224 | + * 1) cannot be negative or zero. | |
225 | + * 2) src buffer contains enough bytes to copy | |
226 | + * 3) cannot exceed destination buffer | |
227 | + */ | |
228 | + if ((dhcp_size <= 0) || | |
229 | + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || | |
230 | + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { | |
231 | +#if VERBOSE | |
232 | + ALOGD("Malformed Packet"); | |
233 | +#endif | |
234 | + return -1; | |
235 | + } | |
222 | 236 | saddr = packet.ip.saddr; |
223 | 237 | daddr = packet.ip.daddr; |
224 | 238 | nread = ntohs(packet.ip.tot_len); |
@@ -17,6 +17,7 @@ | ||
17 | 17 | #include <log/log.h> |
18 | 18 | #include <utils/Unicode.h> |
19 | 19 | |
20 | +#include <limits.h> | |
20 | 21 | #include <stddef.h> |
21 | 22 | |
22 | 23 | #if defined(_WIN32) |
@@ -178,7 +179,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) | ||
178 | 179 | size_t ret = 0; |
179 | 180 | const char32_t *end = src + src_len; |
180 | 181 | while (src < end) { |
181 | - ret += utf32_codepoint_utf8_length(*src++); | |
182 | + size_t char_len = utf32_codepoint_utf8_length(*src++); | |
183 | + if (SSIZE_MAX - char_len < ret) { | |
184 | + // If this happens, we would overflow the ssize_t type when | |
185 | + // returning from this function, so we cannot express how | |
186 | + // long this string is in an ssize_t. | |
187 | + android_errorWriteLog(0x534e4554, "37723026"); | |
188 | + return -1; | |
189 | + } | |
190 | + ret += char_len; | |
182 | 191 | } |
183 | 192 | return ret; |
184 | 193 | } |
@@ -438,14 +447,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) | ||
438 | 447 | size_t ret = 0; |
439 | 448 | const char16_t* const end = src + src_len; |
440 | 449 | while (src < end) { |
450 | + size_t char_len; | |
441 | 451 | if ((*src & 0xFC00) == 0xD800 && (src + 1) < end |
442 | 452 | && (*(src + 1) & 0xFC00) == 0xDC00) { |
443 | 453 | // surrogate pairs are always 4 bytes. |
444 | - ret += 4; | |
454 | + char_len = 4; | |
445 | 455 | src += 2; |
446 | 456 | } else { |
447 | - ret += utf32_codepoint_utf8_length((char32_t) *src++); | |
457 | + char_len = utf32_codepoint_utf8_length((char32_t)*src++); | |
458 | + } | |
459 | + if (SSIZE_MAX - char_len < ret) { | |
460 | + // If this happens, we would overflow the ssize_t type when | |
461 | + // returning from this function, so we cannot express how | |
462 | + // long this string is in an ssize_t. | |
463 | + android_errorWriteLog(0x534e4554, "37723026"); | |
464 | + return -1; | |
448 | 465 | } |
466 | + ret += char_len; | |
449 | 467 | } |
450 | 468 | return ret; |
451 | 469 | } |
@@ -358,6 +358,8 @@ static int32_t MapCentralDirectory(int fd, const char* debug_file_name, | ||
358 | 358 | return result; |
359 | 359 | } |
360 | 360 | |
361 | +static inline bool ReadAtOffset(int fd, uint8_t* buf, size_t len, off64_t off); | |
362 | + | |
361 | 363 | /* |
362 | 364 | * Parses the Zip archive's Central Directory. Allocates and populates the |
363 | 365 | * hash table. |
@@ -436,6 +438,22 @@ static int32_t ParseZipArchive(ZipArchive* archive) { | ||
436 | 438 | return -1; |
437 | 439 | } |
438 | 440 | } |
441 | + | |
442 | + uint32_t lfh_start_bytes; | |
443 | + if (!ReadAtOffset(archive->fd, reinterpret_cast<uint8_t*>(&lfh_start_bytes), | |
444 | + sizeof(uint32_t), 0)) { | |
445 | + ALOGW("Zip: Unable to read header for entry at offset == 0."); | |
446 | + return -1; | |
447 | + } | |
448 | + | |
449 | + if (lfh_start_bytes != LocalFileHeader::kSignature) { | |
450 | + ALOGW("Zip: Entry at offset zero has invalid LFH signature %" PRIx32, lfh_start_bytes); | |
451 | +#if defined(__ANDROID__) | |
452 | + android_errorWriteLog(0x534e4554, "64211847"); | |
453 | +#endif | |
454 | + return -1; | |
455 | + } | |
456 | + | |
439 | 457 | ALOGV("+++ zip good scan %" PRIu16 " entries", num_entries); |
440 | 458 | |
441 | 459 | return 0; |
@@ -603,6 +603,55 @@ TEST(ziparchive, StreamUncompressedBadCrc) { | ||
603 | 603 | CloseArchive(handle); |
604 | 604 | } |
605 | 605 | |
606 | +// A zip file whose local file header at offset zero is corrupted. | |
607 | +// | |
608 | +// --------------- | |
609 | +// cat foo > a.txt | |
610 | +// zip a.zip a.txt | |
611 | +// cat a.zip | xxd -i | |
612 | +// | |
613 | +// Manual changes : | |
614 | +// [2] = 0xff // Corrupt the LFH signature of entry 0. | |
615 | +// [3] = 0xff // Corrupt the LFH signature of entry 0. | |
616 | +static const std::vector<uint8_t> kZipFileWithBrokenLfhSignature{ | |
617 | + //[lfh-sig-----------], [lfh contents--------------------------------- | |
618 | + 0x50, 0x4b, 0xff, 0xff, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80, | |
619 | + //-------------------------------------------------------------------- | |
620 | + 0x09, 0x4b, 0xa8, 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, | |
621 | + //-------------------------------] [file-name-----------------], [--- | |
622 | + 0x00, 0x00, 0x05, 0x00, 0x1c, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55, | |
623 | + // entry-contents------------------------------------------------------ | |
624 | + 0x54, 0x09, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x51, 0x24, 0x8b, 0x59, | |
625 | + //-------------------------------------------------------------------- | |
626 | + 0x75, 0x78, 0x0b, 0x00, 0x01, 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88, | |
627 | + //-------------------------------------], [cd-record-sig-------], [--- | |
628 | + 0x13, 0x00, 0x00, 0x66, 0x6f, 0x6f, 0x0a, 0x50, 0x4b, 0x01, 0x02, 0x1e, | |
629 | + // cd-record----------------------------------------------------------- | |
630 | + 0x03, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80, 0x09, 0x4b, 0xa8, | |
631 | + //-------------------------------------------------------------------- | |
632 | + 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, | |
633 | + //-------------------------------------------------------------------- | |
634 | + 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0, | |
635 | + //-] [lfh-file-header-off-], [file-name-----------------], [extra---- | |
636 | + 0x81, 0x00, 0x00, 0x00, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55, 0x54, | |
637 | + //-------------------------------------------------------------------- | |
638 | + 0x05, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x75, 0x78, 0x0b, 0x00, 0x01, | |
639 | + //-------------------------------------------------------], [eocd-sig- | |
640 | + 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88, 0x13, 0x00, 0x00, 0x50, 0x4b, | |
641 | + //-------], [--------------------------------------------------------- | |
642 | + 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x4b, 0x00, | |
643 | + //-------------------------------------------] | |
644 | + 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00}; | |
645 | + | |
646 | +TEST(ziparchive, BrokenLfhSignature) { | |
647 | + TemporaryFile tmp_file; | |
648 | + ASSERT_NE(-1, tmp_file.fd); | |
649 | + ASSERT_TRUE(android::base::WriteFully(tmp_file.fd, &kZipFileWithBrokenLfhSignature[0], | |
650 | + kZipFileWithBrokenLfhSignature.size())); | |
651 | + ZipArchiveHandle handle; | |
652 | + ASSERT_EQ(-1, OpenArchiveFd(tmp_file.fd, "LeadingNonZipBytes", &handle)); | |
653 | +} | |
654 | + | |
606 | 655 | int main(int argc, char** argv) { |
607 | 656 | ::testing::InitGoogleTest(&argc, argv); |
608 | 657 |