Fix vold vulnerability in FrameworkListener

am: 470484d2a2 Change-Id: Id27ae391c4c0e07f014fbde41d99d45bfa275554
2016-08-19 22:01:08 +00:00 · 2016-08-19 22:01:08 +00:00 · e9e046df6c
commit e9e046df6c
parent ac3fbb1a4a 470484d2a2
2 changed files with 15 additions and 3 deletions
--- a/include/sysutils/FrameworkListener.h
+++ b/include/sysutils/FrameworkListener.h
@ -32,6 +32,7 @@ private:
    int mCommandCount;
    bool mWithSeq;
    FrameworkCommandCollection *mCommands;
+    bool mSkipToNextNullByte;

 public:
    FrameworkListener(const char *socketName);
--- a/libsysutils/src/FrameworkListener.cpp
+++ b/libsysutils/src/FrameworkListener.cpp
@ -42,6 +42,7 @@ void FrameworkListener::init(const char *socketName, bool withSeq) {
    errorRate = 0;
    mCommandCount = 0;
    mWithSeq = withSeq;
+    mSkipToNextNullByte = false;
 }

 bool FrameworkListener::onDataAvailable(SocketClient *c) {
@ -52,10 +53,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
    if (len < 0) {
        SLOGE("read() failed (%s)", strerror(errno));
        return false;
-    } else if (!len)
+    } else if (!len) {
        return false;
-   if(buffer[len-1] != '\0')
+    } else if (buffer[len-1] != '\0') {
        SLOGW("String is not zero-terminated");
+        android_errorWriteLog(0x534e4554, "29831647");
+        c->sendMsg(500, "Command too large for buffer", false);
+        mSkipToNextNullByte = true;
+        return false;
+    }

    int offset = 0;
    int i;
@ -63,11 +69,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
    for (i = 0; i < len; i++) {
        if (buffer[i] == '\0') {
            /* IMPORTANT: dispatchCommand() expects a zero-terminated string */
-            dispatchCommand(c, buffer + offset);
+            if (mSkipToNextNullByte) {
+                mSkipToNextNullByte = false;
+            } else {
+                dispatchCommand(c, buffer + offset);
+            }
            offset = i + 1;
        }
    }

+    mSkipToNextNullByte = false;
    return true;
 }