diff options
author | Mike Lockwood <lockwood@google.com> | 2014-11-12 14:20:06 -0800 |
---|---|---|
committer | Mike Lockwood <lockwood@google.com> | 2014-11-12 16:08:37 -0800 |
commit | ab063847e6e893740749029a04cce1f6b7345ed5 (patch) | |
tree | 8b840e9152cfa638aa354a0379962a89914e0006 /media/mtp/MtpStorageInfo.cpp | |
parent | 745602d87607521f4fe84c4f3a6388fbdb6a867c (diff) | |
download | frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.zip frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.gz frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.bz2 |
MTP: add strict bounds checking for all incoming packets
Previously we did not sanity check incoming MTP packets,
which could result in crashes due to reading off the edge of a packet.
Now all MTP packet getter functions return a boolean result
(true for OK, false for reading off the edge of the packet)
and we now return errors for malformed packets.
Bug: 18113092
Change-Id: Ic7623ee96f00652bdfb4f66acb16a93db5a1c105
Diffstat (limited to 'media/mtp/MtpStorageInfo.cpp')
-rw-r--r-- | media/mtp/MtpStorageInfo.cpp | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/media/mtp/MtpStorageInfo.cpp b/media/mtp/MtpStorageInfo.cpp index 2b1a9ae..5d4ebbf 100644 --- a/media/mtp/MtpStorageInfo.cpp +++ b/media/mtp/MtpStorageInfo.cpp @@ -45,21 +45,23 @@ MtpStorageInfo::~MtpStorageInfo() { free(mVolumeIdentifier); } -void MtpStorageInfo::read(MtpDataPacket& packet) { +bool MtpStorageInfo::read(MtpDataPacket& packet) { MtpStringBuffer string; // read the device info - mStorageType = packet.getUInt16(); - mFileSystemType = packet.getUInt16(); - mAccessCapability = packet.getUInt16(); - mMaxCapacity = packet.getUInt64(); - mFreeSpaceBytes = packet.getUInt64(); - mFreeSpaceObjects = packet.getUInt32(); + if (!packet.getUInt16(mStorageType)) return false; + if (!packet.getUInt16(mFileSystemType)) return false; + if (!packet.getUInt16(mAccessCapability)) return false; + if (!packet.getUInt64(mMaxCapacity)) return false; + if (!packet.getUInt64(mFreeSpaceBytes)) return false; + if (!packet.getUInt32(mFreeSpaceObjects)) return false; - packet.getString(string); + if (!packet.getString(string)) return false; mStorageDescription = strdup((const char *)string); - packet.getString(string); + if (!packet.getString(string)) return false; mVolumeIdentifier = strdup((const char *)string); + + return true; } void MtpStorageInfo::print() { |