diff options
author | Mike Lockwood <lockwood@google.com> | 2014-11-12 14:20:06 -0800 |
---|---|---|
committer | Mike Lockwood <lockwood@google.com> | 2014-11-12 16:08:37 -0800 |
commit | ab063847e6e893740749029a04cce1f6b7345ed5 (patch) | |
tree | 8b840e9152cfa638aa354a0379962a89914e0006 /media/mtp/MtpDeviceInfo.cpp | |
parent | 745602d87607521f4fe84c4f3a6388fbdb6a867c (diff) | |
download | frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.zip frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.gz frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.bz2 |
MTP: add strict bounds checking for all incoming packets
Previously we did not sanity check incoming MTP packets,
which could result in crashes due to reading off the edge of a packet.
Now all MTP packet getter functions return a boolean result
(true for OK, false for reading off the edge of the packet)
and we now return errors for malformed packets.
Bug: 18113092
Change-Id: Ic7623ee96f00652bdfb4f66acb16a93db5a1c105
Diffstat (limited to 'media/mtp/MtpDeviceInfo.cpp')
-rw-r--r-- | media/mtp/MtpDeviceInfo.cpp | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/media/mtp/MtpDeviceInfo.cpp b/media/mtp/MtpDeviceInfo.cpp index 108e2b8..3e1dff7 100644 --- a/media/mtp/MtpDeviceInfo.cpp +++ b/media/mtp/MtpDeviceInfo.cpp @@ -28,7 +28,7 @@ MtpDeviceInfo::MtpDeviceInfo() mVendorExtensionID(0), mVendorExtensionVersion(0), mVendorExtensionDesc(NULL), - mFunctionalCode(0), + mFunctionalMode(0), mOperations(NULL), mEvents(NULL), mDeviceProperties(NULL), @@ -59,39 +59,46 @@ MtpDeviceInfo::~MtpDeviceInfo() { free(mSerial); } -void MtpDeviceInfo::read(MtpDataPacket& packet) { +bool MtpDeviceInfo::read(MtpDataPacket& packet) { MtpStringBuffer string; // read the device info - mStandardVersion = packet.getUInt16(); - mVendorExtensionID = packet.getUInt32(); - mVendorExtensionVersion = packet.getUInt16(); + if (!packet.getUInt16(mStandardVersion)) return false; + if (!packet.getUInt32(mVendorExtensionID)) return false; + if (!packet.getUInt16(mVendorExtensionVersion)) return false; - packet.getString(string); + if (!packet.getString(string)) return false; mVendorExtensionDesc = strdup((const char *)string); - mFunctionalCode = packet.getUInt16(); + if (!packet.getUInt16(mFunctionalMode)) return false; mOperations = packet.getAUInt16(); + if (!mOperations) return false; mEvents = packet.getAUInt16(); + if (!mEvents) return false; mDeviceProperties = packet.getAUInt16(); + if (!mDeviceProperties) return false; mCaptureFormats = packet.getAUInt16(); + if (!mCaptureFormats) return false; mPlaybackFormats = packet.getAUInt16(); + if (!mCaptureFormats) return false; - packet.getString(string); + if (!packet.getString(string)) return false; mManufacturer = strdup((const char *)string); - packet.getString(string); + if (!packet.getString(string)) return false; mModel = strdup((const char *)string); - packet.getString(string); + if (!packet.getString(string)) return false; mVersion = strdup((const char *)string); - packet.getString(string); + if (!packet.getString(string)) return false; mSerial = strdup((const char *)string); + + return true; } void MtpDeviceInfo::print() { ALOGV("Device Info:\n\tmStandardVersion: %d\n\tmVendorExtensionID: %d\n\tmVendorExtensionVersiony: %d\n", mStandardVersion, mVendorExtensionID, mVendorExtensionVersion); - ALOGV("\tmVendorExtensionDesc: %s\n\tmFunctionalCode: %d\n\tmManufacturer: %s\n\tmModel: %s\n\tmVersion: %s\n\tmSerial: %s\n", - mVendorExtensionDesc, mFunctionalCode, mManufacturer, mModel, mVersion, mSerial); + ALOGV("\tmVendorExtensionDesc: %s\n\tmFunctionalMode: %d\n\tmManufacturer: %s\n\tmModel: %s\n\tmVersion: %s\n\tmSerial: %s\n", + mVendorExtensionDesc, mFunctionalMode, mManufacturer, mModel, mVersion, mSerial); } } // namespace android |