diff options
| author | Connor O'Brien <connoro@google.com> | 2016-08-12 11:52:46 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-08-26 16:22:10 -0700 |
| commit | e30579f3359eba93019171861f32bbf4c72313d1 (patch) | |
| tree | 515955e8e54a04decc52fdea0a9669321545683f | |
| parent | e86d0e14970166fa38f16187260679431cdd4119 (diff) | |
| download | system_core-e30579f3359eba93019171861f32bbf4c72313d1.zip system_core-e30579f3359eba93019171861f32bbf4c72313d1.tar.gz system_core-e30579f3359eba93019171861f32bbf4c72313d1.tar.bz2 | |
Fix vold vulnerability in FrameworkListener
Modify FrameworkListener to ignore commands that exceed the maximum
buffer length and send an error message.
Bug: 29831647
Change-Id: I9e57d1648d55af2ca0191bb47868e375ecc26950
Signed-off-by: Connor O'Brien <connoro@google.com>
(cherry picked from commit baa126dc158a40bc83c17c6d428c760e5b93fb1a)
(cherry picked from commit 470484d2a25ad432190a01d1c763b4b36db33c7e)
| -rw-r--r-- | include/sysutils/FrameworkListener.h | 1 | ||||
| -rw-r--r-- | libsysutils/src/FrameworkListener.cpp | 17 |
2 files changed, 15 insertions, 3 deletions
diff --git a/include/sysutils/FrameworkListener.h b/include/sysutils/FrameworkListener.h index 18049cd..2137069 100644 --- a/include/sysutils/FrameworkListener.h +++ b/include/sysutils/FrameworkListener.h @@ -32,6 +32,7 @@ private: int mCommandCount; bool mWithSeq; FrameworkCommandCollection *mCommands; + bool mSkipToNextNullByte; public: FrameworkListener(const char *socketName); diff --git a/libsysutils/src/FrameworkListener.cpp b/libsysutils/src/FrameworkListener.cpp index e7b3dd6..579ead9 100644 --- a/libsysutils/src/FrameworkListener.cpp +++ b/libsysutils/src/FrameworkListener.cpp @@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) { errorRate = 0; mCommandCount = 0; mWithSeq = withSeq; + mSkipToNextNullByte = false; } bool FrameworkListener::onDataAvailable(SocketClient *c) { @@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { if (len < 0) { SLOGE("read() failed (%s)", strerror(errno)); return false; - } else if (!len) + } else if (!len) { return false; - if(buffer[len-1] != '\0') + } else if (buffer[len-1] != '\0') { SLOGW("String is not zero-terminated"); + android_errorWriteLog(0x534e4554, "29831647"); + c->sendMsg(500, "Command too large for buffer", false); + mSkipToNextNullByte = true; + return false; + } int offset = 0; int i; @@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { for (i = 0; i < len; i++) { if (buffer[i] == '\0') { /* IMPORTANT: dispatchCommand() expects a zero-terminated string */ - dispatchCommand(c, buffer + offset); + if (mSkipToNextNullByte) { + mSkipToNextNullByte = false; + } else { + dispatchCommand(c, buffer + offset); + } offset = i + 1; } } + mSkipToNextNullByte = false; return true; } |