diff options
| author | Mike Lockwood <lockwood%android.com@gtempaccount.com> | 2011-06-29 06:42:33 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2011-06-29 06:42:33 -0700 |
| commit | 273d3549198d144331f3e502eeb1215417d72b16 (patch) | |
| tree | b8ced10b08e3a41f3c5cacfa833c85de41a68021 | |
| parent | 598e833d42a687259bc3c9a5a39ad9ba8b105cbb (diff) | |
| parent | 2c9d8de79a0dd7f894c65777a197c86486aff96c (diff) | |
| download | system_vold-273d3549198d144331f3e502eeb1215417d72b16.tar.gz system_vold-273d3549198d144331f3e502eeb1215417d72b16.tar.bz2 system_vold-273d3549198d144331f3e502eeb1215417d72b16.zip | |
am 2c9d8de7: Merge "Prevent buffer overflows."
* commit '2c9d8de79a0dd7f894c65777a197c86486aff96c':
Prevent buffer overflows.
| -rw-r--r-- | Devmapper.cpp | 39 | ||||
| -rw-r--r-- | Loop.cpp | 4 | ||||
| -rw-r--r-- | vdc.c | 6 |
3 files changed, 30 insertions, 19 deletions
diff --git a/Devmapper.cpp b/Devmapper.cpp index 9a22a64..7c11d12 100644 --- a/Devmapper.cpp +++ b/Devmapper.cpp @@ -20,6 +20,7 @@ #include <unistd.h> #include <errno.h> #include <string.h> +#include <stdlib.h> #include <sys/types.h> #include <sys/ioctl.h> @@ -35,6 +36,8 @@ #include "Devmapper.h" +#define DEVMAPPER_BUFFER_SIZE 4096 + int Devmapper::dumpState(SocketClient *c) { char *buffer = (char *) malloc(1024 * 64); @@ -44,7 +47,7 @@ int Devmapper::dumpState(SocketClient *c) { } memset(buffer, 0, (1024 * 64)); - char *buffer2 = (char *) malloc(4096); + char *buffer2 = (char *) malloc(DEVMAPPER_BUFFER_SIZE); if (!buffer2) { SLOGE("Error allocating memory (%s)", strerror(errno)); free(buffer); @@ -82,9 +85,9 @@ int Devmapper::dumpState(SocketClient *c) { do { n = (struct dm_name_list *) (((char *) n) + nxt); - memset(buffer2, 0, 4096); + memset(buffer2, 0, DEVMAPPER_BUFFER_SIZE); struct dm_ioctl *io2 = (struct dm_ioctl *) buffer2; - ioctlInit(io2, 4096, n->name, 0); + ioctlInit(io2, DEVMAPPER_BUFFER_SIZE, n->name, 0); if (ioctl(fd, DM_DEV_STATUS, io2)) { if (errno != ENXIO) { SLOGE("DM_DEV_STATUS ioctl failed (%s)", strerror(errno)); @@ -121,12 +124,14 @@ void Devmapper::ioctlInit(struct dm_ioctl *io, size_t dataSize, io->version[2] = 0; io->flags = flags; if (name) { - strncpy(io->name, name, sizeof(io->name)); + int ret = strlcpy(io->name, name, sizeof(io->name)); + if (ret >= sizeof(io->name)) + abort(); } } int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) { - char *buffer = (char *) malloc(4096); + char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE); if (!buffer) { SLOGE("Error allocating memory (%s)", strerror(errno)); return -1; @@ -141,7 +146,7 @@ int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) { struct dm_ioctl *io = (struct dm_ioctl *) buffer; - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); if (ioctl(fd, DM_DEV_STATUS, io)) { if (errno != ENXIO) { SLOGE("DM_DEV_STATUS ioctl failed for lookup (%s)", strerror(errno)); @@ -160,7 +165,7 @@ int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) { int Devmapper::create(const char *name, const char *loopFile, const char *key, unsigned int numSectors, char *ubuffer, size_t len) { - char *buffer = (char *) malloc(4096); + char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE); if (!buffer) { SLOGE("Error allocating memory (%s)", strerror(errno)); return -1; @@ -176,7 +181,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, struct dm_ioctl *io = (struct dm_ioctl *) buffer; // Create the DM device - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); if (ioctl(fd, DM_DEV_CREATE, io)) { SLOGE("Error creating device mapping (%s)", strerror(errno)); @@ -186,7 +191,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, } // Set the legacy geometry - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); char *geoParams = buffer + sizeof(struct dm_ioctl); // bps=512 spc=8 res=32 nft=2 sec=8190 mid=0xf0 spt=63 hds=64 hid=0 bspf=8 rdcl=2 infs=1 bkbs=2 @@ -201,7 +206,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, } // Retrieve the device number we were allocated - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); if (ioctl(fd, DM_DEV_STATUS, io)) { SLOGE("Error retrieving devmapper status (%s)", strerror(errno)); free(buffer); @@ -216,17 +221,19 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, struct dm_target_spec *tgt; tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; - ioctlInit(io, 4096, name, DM_STATUS_TABLE_FLAG); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, DM_STATUS_TABLE_FLAG); io->target_count = 1; tgt->status = 0; tgt->sector_start = 0; tgt->length = numSectors; - strcpy(tgt->target_type, "crypt"); + strlcpy(tgt->target_type, "crypt", sizeof(tgt->target_type)); char *cryptParams = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); - sprintf(cryptParams, "twofish %s 0 %s 0", key, loopFile); + snprintf(cryptParams, + DEVMAPPER_BUFFER_SIZE - (sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec)), + "twofish %s 0 %s 0", key, loopFile); cryptParams += strlen(cryptParams) + 1; cryptParams = (char *) _align(cryptParams, 8); tgt->next = cryptParams - buffer; @@ -239,7 +246,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, } // Resume the new table - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); if (ioctl(fd, DM_DEV_SUSPEND, io)) { SLOGE("Error Resuming (%s)", strerror(errno)); @@ -255,7 +262,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key, } int Devmapper::destroy(const char *name) { - char *buffer = (char *) malloc(4096); + char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE); if (!buffer) { SLOGE("Error allocating memory (%s)", strerror(errno)); return -1; @@ -271,7 +278,7 @@ int Devmapper::destroy(const char *name) { struct dm_ioctl *io = (struct dm_ioctl *) buffer; // Create the DM device - ioctlInit(io, 4096, name, 0); + ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0); if (ioctl(fd, DM_DEV_REMOVE, io)) { if (errno != ENXIO) { @@ -190,8 +190,8 @@ int Loop::create(const char *id, const char *loopFile, char *loopDeviceBuffer, s struct loop_info64 li; memset(&li, 0, sizeof(li)); - strncpy((char*) li.lo_crypt_name, id, LO_NAME_SIZE); - strncpy((char*) li.lo_file_name, loopFile, LO_NAME_SIZE); + strlcpy((char*) li.lo_crypt_name, id, LO_NAME_SIZE); + strlcpy((char*) li.lo_file_name, loopFile, LO_NAME_SIZE); if (ioctl(fd, LOOP_SET_STATUS64, &li) < 0) { SLOGE("Error setting loopback status (%s)", strerror(errno)); @@ -21,6 +21,7 @@ #include <signal.h> #include <errno.h> #include <fcntl.h> +#include <stdlib.h> #include <sys/socket.h> #include <sys/select.h> @@ -56,6 +57,7 @@ int main(int argc, char **argv) { static int do_cmd(int sock, int argc, char **argv) { char final_cmd[255] = { '\0' }; int i; + int ret; for (i = 1; i < argc; i++) { char *cmp; @@ -65,7 +67,9 @@ static int do_cmd(int sock, int argc, char **argv) { else asprintf(&cmp, "\"%s\"%s", argv[i], (i == (argc -1)) ? "" : " "); - strcat(final_cmd, cmp); + ret = strlcat(final_cmd, cmp, sizeof(final_cmd)); + if (ret >= sizeof(final_cmd)) + abort(); free(cmp); } |