summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorConnor O'Brien <connoro@google.com>2016-08-12 11:52:46 -0700
committergitbuildkicker <android-build@google.com>2016-08-26 16:22:10 -0700
commite30579f3359eba93019171861f32bbf4c72313d1 (patch)
tree515955e8e54a04decc52fdea0a9669321545683f
parente86d0e14970166fa38f16187260679431cdd4119 (diff)
downloadsystem_core-e30579f3359eba93019171861f32bbf4c72313d1.zip
system_core-e30579f3359eba93019171861f32bbf4c72313d1.tar.gz
system_core-e30579f3359eba93019171861f32bbf4c72313d1.tar.bz2
Fix vold vulnerability in FrameworkListener
Modify FrameworkListener to ignore commands that exceed the maximum buffer length and send an error message. Bug: 29831647 Change-Id: I9e57d1648d55af2ca0191bb47868e375ecc26950 Signed-off-by: Connor O'Brien <connoro@google.com> (cherry picked from commit baa126dc158a40bc83c17c6d428c760e5b93fb1a) (cherry picked from commit 470484d2a25ad432190a01d1c763b4b36db33c7e)
-rw-r--r--include/sysutils/FrameworkListener.h1
-rw-r--r--libsysutils/src/FrameworkListener.cpp17
2 files changed, 15 insertions, 3 deletions
diff --git a/include/sysutils/FrameworkListener.h b/include/sysutils/FrameworkListener.h
index 18049cd..2137069 100644
--- a/include/sysutils/FrameworkListener.h
+++ b/include/sysutils/FrameworkListener.h
@@ -32,6 +32,7 @@ private:
int mCommandCount;
bool mWithSeq;
FrameworkCommandCollection *mCommands;
+ bool mSkipToNextNullByte;
public:
FrameworkListener(const char *socketName);
diff --git a/libsysutils/src/FrameworkListener.cpp b/libsysutils/src/FrameworkListener.cpp
index e7b3dd6..579ead9 100644
--- a/libsysutils/src/FrameworkListener.cpp
+++ b/libsysutils/src/FrameworkListener.cpp
@@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) {
errorRate = 0;
mCommandCount = 0;
mWithSeq = withSeq;
+ mSkipToNextNullByte = false;
}
bool FrameworkListener::onDataAvailable(SocketClient *c) {
@@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
if (len < 0) {
SLOGE("read() failed (%s)", strerror(errno));
return false;
- } else if (!len)
+ } else if (!len) {
return false;
- if(buffer[len-1] != '\0')
+ } else if (buffer[len-1] != '\0') {
SLOGW("String is not zero-terminated");
+ android_errorWriteLog(0x534e4554, "29831647");
+ c->sendMsg(500, "Command too large for buffer", false);
+ mSkipToNextNullByte = true;
+ return false;
+ }
int offset = 0;
int i;
@@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
for (i = 0; i < len; i++) {
if (buffer[i] == '\0') {
/* IMPORTANT: dispatchCommand() expects a zero-terminated string */
- dispatchCommand(c, buffer + offset);
+ if (mSkipToNextNullByte) {
+ mSkipToNextNullByte = false;
+ } else {
+ dispatchCommand(c, buffer + offset);
+ }
offset = i + 1;
}
}
+ mSkipToNextNullByte = false;
return true;
}