Fix vold vulnerability in FrameworkListener am: 470484d2a2

am: e9e046df6c Change-Id: I8f2452782817ddf03051af08e70ba9d4c4fa578a
author: Connor O'Brien <connoro@google.com> 2016-08-19 22:08:22 +0000
committer: android-build-merger <android-build-merger@google.com> 2016-08-19 22:08:22 +0000
commit: 109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e (patch)
tree: 43fd67e895cd1ad554105b330d87497e5809036a /libsysutils
parent: 7ed099593049f07d9939e0149c3e77b6f08ea341 (diff)
parent: e9e046df6ca5cdfdb068526d764263d608dd4516 (diff)
download: system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.gz
system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.bz2
system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.zip
1 files changed, 14 insertions, 3 deletions
diff --git a/libsysutils/src/FrameworkListener.cpp b/libsysutils/src/FrameworkListener.cpp
index a5ffda230..15f126b33 100644
--- a/libsysutils/src/FrameworkListener.cpp
+++ b/libsysutils/src/FrameworkListener.cpp
@@ -44,6 +44,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) {
     errorRate = 0;
     mCommandCount = 0;
     mWithSeq = withSeq;
+    mSkipToNextNullByte = false;
 }
 
 bool FrameworkListener::onDataAvailable(SocketClient *c) {
@@ -54,10 +55,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
     if (len < 0) {
         SLOGE("read() failed (%s)", strerror(errno));
         return false;
-    } else if (!len)
+    } else if (!len) {
         return false;
-   if(buffer[len-1] != '\0')
+    } else if (buffer[len-1] != '\0') {
         SLOGW("String is not zero-terminated");
+        android_errorWriteLog(0x534e4554, "29831647");
+        c->sendMsg(500, "Command too large for buffer", false);
+        mSkipToNextNullByte = true;
+        return false;
+    }
 
     int offset = 0;
     int i;
@@ -65,11 +71,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
     for (i = 0; i < len; i++) {
         if (buffer[i] == '\0') {
             /* IMPORTANT: dispatchCommand() expects a zero-terminated string */
-            dispatchCommand(c, buffer + offset);
+            if (mSkipToNextNullByte) {
+                mSkipToNextNullByte = false;
+            } else {
+                dispatchCommand(c, buffer + offset);
+            }
             offset = i + 1;
         }
     }
 
+    mSkipToNextNullByte = false;
     return true;
 }
author	Connor O'Brien <connoro@google.com>	2016-08-19 22:08:22 +0000
committer	android-build-merger <android-build-merger@google.com>	2016-08-19 22:08:22 +0000
commit	109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e (patch)
tree	43fd67e895cd1ad554105b330d87497e5809036a /libsysutils
parent	7ed099593049f07d9939e0149c3e77b6f08ea341 (diff)
parent	e9e046df6ca5cdfdb068526d764263d608dd4516 (diff)
download	system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.gz system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.bz2 system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.zip