diff options
author | Jeff Tinker <jtinker@google.com> | 2015-04-30 00:40:24 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-04-30 00:40:25 +0000 |
commit | ccae9e1bd456d4a0b5a38f53c719130f248bb7cc (patch) | |
tree | 34a8a865c9ce871dc72dd16aeba012a07e9b4b98 | |
parent | 424eaef5c2d4df8750dc46b9bba886ce06e67902 (diff) | |
parent | b408fa26c782c57272f11b46a235cca8c9ccb9be (diff) | |
download | frameworks_av-ccae9e1bd456d4a0b5a38f53c719130f248bb7cc.zip frameworks_av-ccae9e1bd456d4a0b5a38f53c719130f248bb7cc.tar.gz frameworks_av-ccae9e1bd456d4a0b5a38f53c719130f248bb7cc.tar.bz2 |
Merge "Harden drmserver process against fuzzing attacks" into mnc-dev
-rw-r--r-- | drm/common/IDrmManagerService.cpp | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/drm/common/IDrmManagerService.cpp b/drm/common/IDrmManagerService.cpp index 3f62ed7..b90da1b 100644 --- a/drm/common/IDrmManagerService.cpp +++ b/drm/common/IDrmManagerService.cpp @@ -34,6 +34,7 @@ #include "IDrmManagerService.h" #define INVALID_BUFFER_LENGTH -1 +#define MAX_BINDER_TRANSACTION_SIZE ((1*1024*1024)-(4096*2)) using namespace android; @@ -933,7 +934,12 @@ status_t BnDrmManagerService::onTransact( //Filling DRM info const int infoType = data.readInt32(); - const int bufferSize = data.readInt32(); + const uint32_t bufferSize = data.readInt32(); + + if (bufferSize > data.dataAvail()) { + return BAD_VALUE; + } + char* buffer = NULL; if (0 < bufferSize) { buffer = (char *)data.readInplace(bufferSize); @@ -986,6 +992,9 @@ status_t BnDrmManagerService::onTransact( const int size = data.readInt32(); for (int index = 0; index < size; ++index) { + if (!data.dataAvail()) { + break; + } const String8 key(data.readString8()); if (key == String8("FileDescriptorKey")) { char buffer[16]; @@ -1035,7 +1044,12 @@ status_t BnDrmManagerService::onTransact( const int uniqueId = data.readInt32(); //Filling DRM Rights - const int bufferSize = data.readInt32(); + const uint32_t bufferSize = data.readInt32(); + if (bufferSize > data.dataAvail()) { + reply->writeInt32(BAD_VALUE); + return DRM_NO_ERROR; + } + const DrmBuffer drmBuffer((char *)data.readInplace(bufferSize), bufferSize); const String8 mimeType(data.readString8()); @@ -1206,10 +1220,13 @@ status_t BnDrmManagerService::onTransact( const int convertId = data.readInt32(); //Filling input data - const int bufferSize = data.readInt32(); + const uint32_t bufferSize = data.readInt32(); + if (bufferSize > data.dataAvail()) { + return BAD_VALUE; + } DrmBuffer* inputData = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize); - DrmConvertedStatus* drmConvertedStatus = convertData(uniqueId, convertId, inputData); + DrmConvertedStatus* drmConvertedStatus = convertData(uniqueId, convertId, inputData); if (NULL != drmConvertedStatus) { //Filling Drm Converted Ststus @@ -1393,7 +1410,12 @@ status_t BnDrmManagerService::onTransact( const int decryptUnitId = data.readInt32(); //Filling Header info - const int bufferSize = data.readInt32(); + const uint32_t bufferSize = data.readInt32(); + if (bufferSize > data.dataAvail()) { + reply->writeInt32(BAD_VALUE); + clearDecryptHandle(&handle); + return DRM_NO_ERROR; + } DrmBuffer* headerInfo = NULL; headerInfo = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize); @@ -1417,9 +1439,17 @@ status_t BnDrmManagerService::onTransact( readDecryptHandleFromParcelData(&handle, data); const int decryptUnitId = data.readInt32(); - const int decBufferSize = data.readInt32(); + const uint32_t decBufferSize = data.readInt32(); + const uint32_t encBufferSize = data.readInt32(); + + if (encBufferSize > data.dataAvail() || + decBufferSize > MAX_BINDER_TRANSACTION_SIZE) { + reply->writeInt32(BAD_VALUE); + reply->writeInt32(0); + clearDecryptHandle(&handle); + return DRM_NO_ERROR; + } - const int encBufferSize = data.readInt32(); DrmBuffer* encBuffer = new DrmBuffer((char *)data.readInplace(encBufferSize), encBufferSize); @@ -1429,8 +1459,10 @@ status_t BnDrmManagerService::onTransact( DrmBuffer* IV = NULL; if (0 != data.dataAvail()) { - const int ivBufferlength = data.readInt32(); - IV = new DrmBuffer((char *)data.readInplace(ivBufferlength), ivBufferlength); + const uint32_t ivBufferlength = data.readInt32(); + if (ivBufferlength <= data.dataAvail()) { + IV = new DrmBuffer((char *)data.readInplace(ivBufferlength), ivBufferlength); + } } const status_t status @@ -1477,7 +1509,11 @@ status_t BnDrmManagerService::onTransact( DecryptHandle handle; readDecryptHandleFromParcelData(&handle, data); - const int numBytes = data.readInt32(); + const uint32_t numBytes = data.readInt32(); + if (numBytes > MAX_BINDER_TRANSACTION_SIZE) { + reply->writeInt32(BAD_VALUE); + return DRM_NO_ERROR; + } char* buffer = new char[numBytes]; const off64_t offset = data.readInt64(); |