system/corennnnn
Revision | 2f78b2c3d6b3d1311e7ca21a25925d3bbb09ff9f (tree) |
---|---|
Time | 2016-08-20 07:36:29 |
Author | Connor O'Brien <connoro@goog...> |
Commiter | android-build-merger |
Fix vold vulnerability in FrameworkListener am: 470484d2a2 am: e9e046df6c am: 109024f74a am: b906ad88b9 am: 2fadbb93a4 am: e04054d9bb
am: 9745b11db1
Change-Id: I61f685976803f51db9ba85729554fc14efaa4b2c
@@ -32,6 +32,7 @@ private: | ||
32 | 32 | int mCommandCount; |
33 | 33 | bool mWithSeq; |
34 | 34 | FrameworkCommandCollection *mCommands; |
35 | + bool mSkipToNextNullByte; | |
35 | 36 | |
36 | 37 | public: |
37 | 38 | FrameworkListener(const char *socketName); |
@@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) { | ||
49 | 49 | errorRate = 0; |
50 | 50 | mCommandCount = 0; |
51 | 51 | mWithSeq = withSeq; |
52 | + mSkipToNextNullByte = false; | |
52 | 53 | } |
53 | 54 | |
54 | 55 | bool FrameworkListener::onDataAvailable(SocketClient *c) { |
@@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { | ||
59 | 60 | if (len < 0) { |
60 | 61 | SLOGE("read() failed (%s)", strerror(errno)); |
61 | 62 | return false; |
62 | - } else if (!len) | |
63 | + } else if (!len) { | |
63 | 64 | return false; |
64 | - if(buffer[len-1] != '\0') | |
65 | + } else if (buffer[len-1] != '\0') { | |
65 | 66 | SLOGW("String is not zero-terminated"); |
67 | + android_errorWriteLog(0x534e4554, "29831647"); | |
68 | + c->sendMsg(500, "Command too large for buffer", false); | |
69 | + mSkipToNextNullByte = true; | |
70 | + return false; | |
71 | + } | |
66 | 72 | |
67 | 73 | int offset = 0; |
68 | 74 | int i; |
@@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { | ||
70 | 76 | for (i = 0; i < len; i++) { |
71 | 77 | if (buffer[i] == '\0') { |
72 | 78 | /* IMPORTANT: dispatchCommand() expects a zero-terminated string */ |
73 | - dispatchCommand(c, buffer + offset); | |
79 | + if (mSkipToNextNullByte) { | |
80 | + mSkipToNextNullByte = false; | |
81 | + } else { | |
82 | + dispatchCommand(c, buffer + offset); | |
83 | + } | |
74 | 84 | offset = i + 1; |
75 | 85 | } |
76 | 86 | } |
77 | 87 | |
88 | + mSkipToNextNullByte = false; | |
78 | 89 | return true; |
79 | 90 | } |
80 | 91 |