Address property service DoS.

Bug: http://b/35166374
Test: ran new test
Change-Id: I94cf5750f0d2dc87f4a118b2c63b16255ef30fd2

init/Android.mk

@@ -123,6 +123,7 @@ include $(CLEAR_VARS)
 LOCAL_MODULE := init_tests
 LOCAL_SRC_FILES := \
     init_parser_test.cpp \
+    property_service_test.cpp \
     util_test.cpp \
 
 LOCAL_SHARED_LIBRARIES += \

init/property_service.cpp

@@ -245,6 +245,13 @@ class SocketConnection {
       return true;
     }
 
+    // http://b/35166374: don't allow init to make arbitrarily large allocations.
+    if (len > 0xffff) {
+      LOG(ERROR) << "sys_prop: RecvString asked to read huge string: " << len;
+      errno = ENOMEM;
+      return false;
+    }
+
     std::vector<char> chars(len);
     if (!RecvChars(&chars[0], len, timeout_ms)) {
       return false;
@@ -386,12 +393,11 @@ static void handle_property_set_fd() {
         return;
     }
 
-    /* Check socket options here */
     struct ucred cr;
     socklen_t cr_size = sizeof(cr);
     if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cr, &cr_size) < 0) {
         close(s);
-        PLOG(ERROR) << "Unable to receive socket options";
+        PLOG(ERROR) << "sys_prop: unable to get SO_PEERCRED";
         return;
     }
 
@@ -399,14 +405,13 @@ static void handle_property_set_fd() {
     uint32_t timeout_ms = kDefaultSocketTimeout;
 
     uint32_t cmd = 0;
-
     if (!socket.RecvUint32(&cmd, &timeout_ms)) {
         PLOG(ERROR) << "sys_prop: error while reading command from the socket";
         socket.SendUint32(PROP_ERROR_READ_CMD);
         return;
     }
 
-    switch(cmd) {
+    switch (cmd) {
     case PROP_MSG_SETPROP: {
         char prop_name[PROP_NAME_MAX];
         char prop_value[PROP_VALUE_MAX];
@@ -437,7 +442,9 @@ static void handle_property_set_fd() {
         handle_property_set(socket, name, value, false);
         break;
       }
+
     default:
+        LOG(ERROR) << "sys_prop: invalid command " << cmd;
         socket.SendUint32(PROP_ERROR_INVALID_CMD);
         break;
     }

init/property_service_test.cpp

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#define _REALLY_INCLUDE_SYS__SYSTEM_PROPERTIES_H_
+#include <sys/_system_properties.h>
+
+#include <gtest/gtest.h>
+
+TEST(property_service, very_long_name_35166374) {
+  // Connect to the property service directly...
+  int fd = socket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
+  ASSERT_NE(fd, -1);
+
+  static const char* property_service_socket = "/dev/socket/" PROP_SERVICE_NAME;
+  sockaddr_un addr = {};
+  addr.sun_family = AF_LOCAL;
+  strlcpy(addr.sun_path, property_service_socket, sizeof(addr.sun_path));
+
+  socklen_t addr_len = strlen(property_service_socket) + offsetof(sockaddr_un, sun_path) + 1;
+  ASSERT_NE(connect(fd, reinterpret_cast<sockaddr*>(&addr), addr_len), -1);
+
+  // ...so we can send it a malformed request.
+  uint32_t msg = PROP_MSG_SETPROP2;
+  uint32_t size = 0xffffffff;
+  uint32_t data = 0xdeadbeef;
+
+  ASSERT_EQ(static_cast<ssize_t>(sizeof(msg)), send(fd, &msg, sizeof(msg), 0));
+  ASSERT_EQ(static_cast<ssize_t>(sizeof(size)), send(fd, &size, sizeof(size), 0));
+  ASSERT_EQ(static_cast<ssize_t>(sizeof(data)), send(fd, &data, sizeof(data), 0));
+  ASSERT_EQ(0, close(fd));
+}