diff --git a/init/Android.mk b/init/Android.mk index a10a714a1..18cbedcd1 100644 --- a/init/Android.mk +++ b/init/Android.mk @@ -123,6 +123,7 @@ include $(CLEAR_VARS) LOCAL_MODULE := init_tests LOCAL_SRC_FILES := \ init_parser_test.cpp \ + property_service_test.cpp \ util_test.cpp \ LOCAL_SHARED_LIBRARIES += \ diff --git a/init/property_service.cpp b/init/property_service.cpp index ce197eec1..04bcb1862 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -245,6 +245,13 @@ class SocketConnection { return true; } + // http://b/35166374: don't allow init to make arbitrarily large allocations. + if (len > 0xffff) { + LOG(ERROR) << "sys_prop: RecvString asked to read huge string: " << len; + errno = ENOMEM; + return false; + } + std::vector chars(len); if (!RecvChars(&chars[0], len, timeout_ms)) { return false; @@ -386,12 +393,11 @@ static void handle_property_set_fd() { return; } - /* Check socket options here */ struct ucred cr; socklen_t cr_size = sizeof(cr); if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cr, &cr_size) < 0) { close(s); - PLOG(ERROR) << "Unable to receive socket options"; + PLOG(ERROR) << "sys_prop: unable to get SO_PEERCRED"; return; } @@ -399,14 +405,13 @@ static void handle_property_set_fd() { uint32_t timeout_ms = kDefaultSocketTimeout; uint32_t cmd = 0; - if (!socket.RecvUint32(&cmd, &timeout_ms)) { PLOG(ERROR) << "sys_prop: error while reading command from the socket"; socket.SendUint32(PROP_ERROR_READ_CMD); return; } - switch(cmd) { + switch (cmd) { case PROP_MSG_SETPROP: { char prop_name[PROP_NAME_MAX]; char prop_value[PROP_VALUE_MAX]; @@ -437,7 +442,9 @@ static void handle_property_set_fd() { handle_property_set(socket, name, value, false); break; } + default: + LOG(ERROR) << "sys_prop: invalid command " << cmd; socket.SendUint32(PROP_ERROR_INVALID_CMD); break; } diff --git a/init/property_service_test.cpp b/init/property_service_test.cpp new file mode 100644 index 000000000..4d784aa8d --- /dev/null +++ b/init/property_service_test.cpp @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#define _REALLY_INCLUDE_SYS__SYSTEM_PROPERTIES_H_ +#include + +#include + +TEST(property_service, very_long_name_35166374) { + // Connect to the property service directly... + int fd = socket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0); + ASSERT_NE(fd, -1); + + static const char* property_service_socket = "/dev/socket/" PROP_SERVICE_NAME; + sockaddr_un addr = {}; + addr.sun_family = AF_LOCAL; + strlcpy(addr.sun_path, property_service_socket, sizeof(addr.sun_path)); + + socklen_t addr_len = strlen(property_service_socket) + offsetof(sockaddr_un, sun_path) + 1; + ASSERT_NE(connect(fd, reinterpret_cast(&addr), addr_len), -1); + + // ...so we can send it a malformed request. + uint32_t msg = PROP_MSG_SETPROP2; + uint32_t size = 0xffffffff; + uint32_t data = 0xdeadbeef; + + ASSERT_EQ(static_cast(sizeof(msg)), send(fd, &msg, sizeof(msg), 0)); + ASSERT_EQ(static_cast(sizeof(size)), send(fd, &size, sizeof(size), 0)); + ASSERT_EQ(static_cast(sizeof(data)), send(fd, &data, sizeof(data), 0)); + ASSERT_EQ(0, close(fd)); +}