Fix vold vulnerability in FrameworkListener
Modify FrameworkListener to ignore commands that exceed the maximum
buffer length and send an error message.
Bug: 29831647
Change-Id: I9e57d1648d55af2ca0191bb47868e375ecc26950
Signed-off-by: Connor O'Brien <connoro@google.com>
(cherry picked from commit baa126dc15
)
This commit is contained in:
parent
23effb07ee
commit
470484d2a2
|
@ -32,6 +32,7 @@ private:
|
|||
int mCommandCount;
|
||||
bool mWithSeq;
|
||||
FrameworkCommandCollection *mCommands;
|
||||
bool mSkipToNextNullByte;
|
||||
|
||||
public:
|
||||
FrameworkListener(const char *socketName);
|
||||
|
|
|
@ -42,6 +42,7 @@ void FrameworkListener::init(const char *socketName, bool withSeq) {
|
|||
errorRate = 0;
|
||||
mCommandCount = 0;
|
||||
mWithSeq = withSeq;
|
||||
mSkipToNextNullByte = false;
|
||||
}
|
||||
|
||||
bool FrameworkListener::onDataAvailable(SocketClient *c) {
|
||||
|
@ -52,10 +53,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
|
|||
if (len < 0) {
|
||||
SLOGE("read() failed (%s)", strerror(errno));
|
||||
return false;
|
||||
} else if (!len)
|
||||
} else if (!len) {
|
||||
return false;
|
||||
if(buffer[len-1] != '\0')
|
||||
} else if (buffer[len-1] != '\0') {
|
||||
SLOGW("String is not zero-terminated");
|
||||
android_errorWriteLog(0x534e4554, "29831647");
|
||||
c->sendMsg(500, "Command too large for buffer", false);
|
||||
mSkipToNextNullByte = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
int offset = 0;
|
||||
int i;
|
||||
|
@ -63,11 +69,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
|
|||
for (i = 0; i < len; i++) {
|
||||
if (buffer[i] == '\0') {
|
||||
/* IMPORTANT: dispatchCommand() expects a zero-terminated string */
|
||||
dispatchCommand(c, buffer + offset);
|
||||
if (mSkipToNextNullByte) {
|
||||
mSkipToNextNullByte = false;
|
||||
} else {
|
||||
dispatchCommand(c, buffer + offset);
|
||||
}
|
||||
offset = i + 1;
|
||||
}
|
||||
}
|
||||
|
||||
mSkipToNextNullByte = false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue