Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18bc2894 authored by Vairavan Srinivasan's avatar Vairavan Srinivasan Committed by Steve Kondik
Browse files

frameworks/base: Cap the number of toasts that a package can post. 

NotificationManagerService keeps track of requested toasts in a
queue. Any package can trigger a DoS by repeated enqueue of
toasts which eventually results in a leak of WeakReferences in
system_server and causes dalvik (hosting system_server) to
abort the same.

Change-Id: If2ec9e8868c8d4a2641f9229f47196bf71bc0981
parent 259046fd

services/java/com/android/server/NotificationManagerService.java

+18 −0
Original line number Diff line number Diff line
@@ -630,6 +630,24 @@ public class NotificationManagerService extends INotificationManager.Stub 
                    record = mToastQueue.get(index);

                    record.update(duration);

                } else {

                    // Limit the number of toasts that any given package except the android

                    // package can enqueue.  Prevents DOS attacks and deals with leaks.

                    if (!"android".equals(pkg)) {

                        int count = 0;

                        final int N = mToastQueue.size();

                        for (int i=0; i<N; i++) {

                             final ToastRecord r = mToastQueue.get(i);

                             if (r.pkg.equals(pkg)) {

                                 count++;

                                 if (count >= MAX_PACKAGE_NOTIFICATIONS) {

                                     Slog.e(TAG, "Package has already posted " + count

                                            + " toasts. Not showing more. Package=" + pkg);

                                     return;

                                 }

                             }

                        }

                    }



                    record = new ToastRecord(callingPid, pkg, callback, duration);

                    mToastQueue.add(record);

                    index = mToastQueue.size() - 1;