diff options
author | Connor O'Brien <connoro@google.com> | 2016-08-19 22:08:22 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-08-19 22:08:22 +0000 |
commit | 109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e (patch) | |
tree | 43fd67e895cd1ad554105b330d87497e5809036a /libsysutils | |
parent | 7ed099593049f07d9939e0149c3e77b6f08ea341 (diff) | |
parent | e9e046df6ca5cdfdb068526d764263d608dd4516 (diff) | |
download | system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.gz system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.tar.bz2 system_core-109024f74a4cb12dfb4b2e34fd1e913aae1e0d3e.zip |
Fix vold vulnerability in FrameworkListener am: 470484d2a2
am: e9e046df6c
Change-Id: I8f2452782817ddf03051af08e70ba9d4c4fa578a
Diffstat (limited to 'libsysutils')
-rw-r--r-- | libsysutils/src/FrameworkListener.cpp | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/libsysutils/src/FrameworkListener.cpp b/libsysutils/src/FrameworkListener.cpp index a5ffda230..15f126b33 100644 --- a/libsysutils/src/FrameworkListener.cpp +++ b/libsysutils/src/FrameworkListener.cpp @@ -44,6 +44,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) { errorRate = 0; mCommandCount = 0; mWithSeq = withSeq; + mSkipToNextNullByte = false; } bool FrameworkListener::onDataAvailable(SocketClient *c) { @@ -54,10 +55,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { if (len < 0) { SLOGE("read() failed (%s)", strerror(errno)); return false; - } else if (!len) + } else if (!len) { return false; - if(buffer[len-1] != '\0') + } else if (buffer[len-1] != '\0') { SLOGW("String is not zero-terminated"); + android_errorWriteLog(0x534e4554, "29831647"); + c->sendMsg(500, "Command too large for buffer", false); + mSkipToNextNullByte = true; + return false; + } int offset = 0; int i; @@ -65,11 +71,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) { for (i = 0; i < len; i++) { if (buffer[i] == '\0') { /* IMPORTANT: dispatchCommand() expects a zero-terminated string */ - dispatchCommand(c, buffer + offset); + if (mSkipToNextNullByte) { + mSkipToNextNullByte = false; + } else { + dispatchCommand(c, buffer + offset); + } offset = i + 1; } } + mSkipToNextNullByte = false; return true; } |