Fix vold vulnerability in FrameworkListener (baa126dc) · Commits · e / os / android_system_core

include/sysutils/FrameworkListener.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,7 @@ private:
		int mCommandCount;
		bool mWithSeq;
		FrameworkCommandCollection *mCommands;
		bool mSkipToNextNullByte;

		public:
		FrameworkListener(const char *socketName);

+14 −3

Original line number	Diff line number	Diff line
		@@ -49,6 +49,7 @@ void FrameworkListener::init(const char *socketName UNUSED, bool withSeq) {
		errorRate = 0;
		mCommandCount = 0;
		mWithSeq = withSeq;
		mSkipToNextNullByte = false;
		}

		bool FrameworkListener::onDataAvailable(SocketClient *c) {
		@@ -59,10 +60,15 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
		if (len < 0) {
		SLOGE("read() failed (%s)", strerror(errno));
		return false;
		} else if (!len)
		} else if (!len) {
		return false;
		if(buffer[len-1] != '\0')
		} else if (buffer[len-1] != '\0') {
		SLOGW("String is not zero-terminated");
		android_errorWriteLog(0x534e4554, "29831647");
		c->sendMsg(500, "Command too large for buffer", false);
		mSkipToNextNullByte = true;
		return false;
		}

		int offset = 0;
		int i;
		@@ -70,11 +76,16 @@ bool FrameworkListener::onDataAvailable(SocketClient *c) {
		for (i = 0; i < len; i++) {
		if (buffer[i] == '\0') {
		/* IMPORTANT: dispatchCommand() expects a zero-terminated string */
		if (mSkipToNextNullByte) {
		mSkipToNextNullByte = false;
		} else {
		dispatchCommand(c, buffer + offset);
		}
		offset = i + 1;
		}
		}

		mSkipToNextNullByte = false;
		return true;
		}