• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/corennnnn


Commit MetaInfo

Revisionbbceed599898ab121c48a9a3783368e1cc1fc284 (tree)
Zeit2016-09-01 12:56:05
AutorConnor O'Brien <connoro@goog...>
Commitergitbuildkicker

Log Message

Fix vold vulnerability in FrameworkListener

Modify FrameworkListener to ignore commands that exceed the maximum
buffer length and send an error message.

Bug: 29831647
Change-Id: I9e57d1648d55af2ca0191bb47868e375ecc26950
Signed-off-by: Connor O'Brien <connoro@google.com>
(cherry picked from commit baa126dc158a40bc83c17c6d428c760e5b93fb1a)
(cherry picked from commit 470484d2a25ad432190a01d1c763b4b36db33c7e)

Ändern Zusammenfassung

Diff

--- a/include/sysutils/FrameworkListener.h
+++ b/include/sysutils/FrameworkListener.h
@@ -32,6 +32,7 @@ private:
3232 int mCommandCount;
3333 bool mWithSeq;
3434 FrameworkCommandCollection *mCommands;
35+ bool mSkipToNextNullByte;
3536
3637 public:
3738 FrameworkListener(const char *socketName);
--- a/libsysutils/src/FrameworkListener.cpp
+++ b/libsysutils/src/FrameworkListener.cpp
@@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) {
4949 errorRate = 0;
5050 mCommandCount = 0;
5151 mWithSeq = withSeq;
52+ mSkipToNextNullByte = false;
5253 }
5354
5455 bool FrameworkListener::onDataAvailable(SocketClient *c) {
@@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
5960 if (len < 0) {
6061 SLOGE("read() failed (%s)", strerror(errno));
6162 return false;
62- } else if (!len)
63+ } else if (!len) {
6364 return false;
64- if(buffer[len-1] != '\0')
65+ } else if (buffer[len-1] != '\0') {
6566 SLOGW("String is not zero-terminated");
67+ android_errorWriteLog(0x534e4554, "29831647");
68+ c->sendMsg(500, "Command too large for buffer", false);
69+ mSkipToNextNullByte = true;
70+ return false;
71+ }
6672
6773 int offset = 0;
6874 int i;
@@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
7076 for (i = 0; i < len; i++) {
7177 if (buffer[i] == '\0') {
7278 /* IMPORTANT: dispatchCommand() expects a zero-terminated string */
73- dispatchCommand(c, buffer + offset);
79+ if (mSkipToNextNullByte) {
80+ mSkipToNextNullByte = false;
81+ } else {
82+ dispatchCommand(c, buffer + offset);
83+ }
7484 offset = i + 1;
7585 }
7686 }
7787
88+ mSkipToNextNullByte = false;
7889 return true;
7990 }
8091