openkylin
/
platform_system_core
mirror of https://gitee.com/openkylin/platform_system_core.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

adb: restore packet data length checks. 

These checks were moved to after the read of the payload, which is too
late. Add a check before each read to avoid a heap buffer overflow.

Test: python test_device.py with x86_64 emulator, walleye
Change-Id: I86bcfaaa9004951cc52ad89af74680cf748e717d
This commit is contained in:
Josh Gao 2018-02-02 14:38:04 -08:00
parent 5e5076404a
commit 5caaebdc3d
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
adb/transport.cpp
View File

@ -72,6 +72,11 @@ bool FdConnection::Read(apacket* packet) {
return false;
}
if (packet->msg.data_length > sizeof(packet->data)) {
D("remote local: read overflow (data length = %" PRIu32 ")", packet->msg.data_length);
return false;
}
if (!ReadFdExactly(fd_.get(), &packet->data, packet->msg.data_length)) {
D("remote local: terminated (data)");
return false;

9
adb/transport_usb.cpp
View File

@ -61,6 +61,10 @@ static int UsbReadMessage(usb_handle* h, amessage* msg) {
static int UsbReadPayload(usb_handle* h, apacket* p) {
D("UsbReadPayload(%d)", p->msg.data_length);
if (p->msg.data_length > sizeof(p->data)) {
return -1;
}
#if CHECK_PACKET_OVERFLOW
size_t usb_packet_size = usb_get_max_packet_size(h);
CHECK_EQ(0ULL, sizeof(p->data) % usb_packet_size);
@ -116,6 +120,11 @@ static int remote_read(apacket* p, usb_handle* usb) {
}
if (p->msg.data_length) {
if (p->msg.data_length > sizeof(p->data)) {
PLOG(ERROR) << "remote usb: read overflow (data length = " << p->msg.data_length << ")";
return -1;
}
if (usb_read(usb, p->data, p->msg.data_length)) {
PLOG(ERROR) << "remote usb: terminated (data)";
return -1;