Fix vold vulnerability in FrameworkListener (470484d2) · Commits · e / os / android_system_core

include/sysutils/FrameworkListener.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,7 @@ private:
		int mCommandCount;
		bool mWithSeq;
		FrameworkCommandCollection *mCommands;
		bool mSkipToNextNullByte;

		public:
		FrameworkListener(const char *socketName);

+14 −3

Original line number	Diff line number	Diff line
		@@ -42,6 +42,7 @@ void FrameworkListener::init(const char *socketName, bool withSeq) {
		errorRate = 0;
		mCommandCount = 0;
		mWithSeq = withSeq;
		mSkipToNextNullByte = false;
		}

		bool FrameworkListener::onDataAvailable(SocketClient *c) {
		@@ -52,10 +53,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
		if (len < 0) {
		SLOGE("read() failed (%s)", strerror(errno));
		return false;
		} else if (!len)
		} else if (!len) {
		return false;
		if(buffer[len-1] != '\0')
		} else if (buffer[len-1] != '\0') {
		SLOGW("String is not zero-terminated");
		android_errorWriteLog(0x534e4554, "29831647");
		c->sendMsg(500, "Command too large for buffer", false);
		mSkipToNextNullByte = true;
		return false;
		}

		int offset = 0;
		int i;
		@@ -63,11 +69,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
		for (i = 0; i < len; i++) {
		if (buffer[i] == '\0') {
		/* IMPORTANT: dispatchCommand() expects a zero-terminated string */
		if (mSkipToNextNullByte) {
		mSkipToNextNullByte = false;
		} else {
		dispatchCommand(c, buffer + offset);
		}
		offset = i + 1;
		}
		}

		mSkipToNextNullByte = false;
		return true;
		}