logger: validate hdr_size field in logger entry

- check hdr_size to make sure it is in the expected range from sizeof entry_v1 to entry (entry_v4). - alter msg() method to report NULL on invalid hdr_size - alter all users of msg() method. Bug: 30947841 Change-Id: I9bc1740d7aa9f37df5be966c18de1fb9de63d5dd
author: Mark Salyzyn <salyzyn@google.com> 2016-08-18 14:59:41 -0700
committer: Mark Salyzyn <salyzyn@google.com> 2016-08-23 14:51:50 -0700
commit: 305374cf0f8cf28b58a108cf4f45df92fc0dde86 (patch)
tree: 4f7ae56a180ae568508f5da1f4f83e25a054d712 /liblog/pmsg_reader.c
parent: 82b67fff06363c8e7a17058cb5ce748f21a27f11 (diff)
download: core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.tar.gz
core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.tar.bz2
core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/liblog/pmsg_reader.c b/liblog/pmsg_reader.c
index a4eec65a5..679c15957 100644
--- a/liblog/pmsg_reader.c
+++ b/liblog/pmsg_reader.c
@@ -343,6 +343,10 @@ LIBLOG_ABI_PRIVATE ssize_t __android_log_pmsg_file_read(
         char *msg = (char *)&transp.logMsg + hdr_size;
         char *split = NULL;
 
+        if ((hdr_size < sizeof(transp.logMsg.entry_v1)) ||
+                (hdr_size > sizeof(transp.logMsg.entry))) {
+            continue;
+        }
         /* Check for invalid sequence number */
         if ((transp.logMsg.entry.nsec % ANDROID_LOG_PMSG_FILE_SEQUENCE) ||
                 ((transp.logMsg.entry.nsec / ANDROID_LOG_PMSG_FILE_SEQUENCE) >=
author	Mark Salyzyn <salyzyn@google.com>	2016-08-18 14:59:41 -0700
committer	Mark Salyzyn <salyzyn@google.com>	2016-08-23 14:51:50 -0700
commit	305374cf0f8cf28b58a108cf4f45df92fc0dde86 (patch)
tree	4f7ae56a180ae568508f5da1f4f83e25a054d712 /liblog/pmsg_reader.c
parent	82b67fff06363c8e7a17058cb5ce748f21a27f11 (diff)
download	core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.tar.gz core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.tar.bz2 core-305374cf0f8cf28b58a108cf4f45df92fc0dde86.zip