Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3724bbcb authored by Keith Mok's avatar Keith Mok
Browse files

Fix userspace fastboot with fuzzy test 

Add more checking for fastboot to detect malformed
requests.
Such as checking no control characters in the command
send from host.
Make sure the download command length is eight bytes.
And report FAIL if download length is zero.

Test: adb reboot fastboot
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid1
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid2
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid7
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid8
Bug: 212628476
Change-Id: I750174205377395b5328923fb00462d078f3310d
parent 921ad28a

fastboot/device/commands.cpp

+8 −0
Original line number Diff line number Diff line
@@ -268,10 +268,18 @@ bool DownloadHandler(FastbootDevice* device, const std::vector<std::string>& arg 
    }



    // arg[0] is the command name, arg[1] contains size of data to be downloaded

    // which should always be 8 bytes

    if (args[1].length() != 8) {

        return device->WriteStatus(FastbootResult::FAIL,

                                   "Invalid size (length of size != 8)");

    }

    unsigned int size;

    if (!android::base::ParseUint("0x" + args[1], &size, kMaxDownloadSizeDefault)) {

        return device->WriteStatus(FastbootResult::FAIL, "Invalid size");

    }

    if (size == 0) {

        return device->WriteStatus(FastbootResult::FAIL, "Invalid size (0)");

    }

    device->download_data().resize(size);

    if (!device->WriteStatus(FastbootResult::DATA, android::base::StringPrintf("%08x", size))) {

        return false;

fastboot/device/fastboot_device.cpp

+5 −0
Original line number Diff line number Diff line
@@ -186,6 +186,11 @@ void FastbootDevice::ExecuteCommands() { 
            PLOG(ERROR) << "Couldn't read command";

            return;

        }

        if (std::count_if(command, command + bytes_read, iscntrl) != 0) {

            WriteStatus(FastbootResult::FAIL,

                        "Command contains control character");

            continue;

        }

        command[bytes_read] = '\0';



        LOG(INFO) << "Fastboot command: " << command;