Merge "Add MCL_ONFAULT to mlockall" am: ccb9960beb
am: 179c81f733
Change-Id: Iae5a52528102bd3c19c3cc9eff661130d1e35c92
diff --git a/libnetutils/packet.c b/libnetutils/packet.c
index e53a4c8..9ecdd4f 100644
--- a/libnetutils/packet.c
+++ b/libnetutils/packet.c
@@ -218,6 +218,20 @@
* to construct the pseudo header used in the checksum calculation.
*/
dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
+ /*
+ * check validity of dhcp_size.
+ * 1) cannot be negative or zero.
+ * 2) src buffer contains enough bytes to copy
+ * 3) cannot exceed destination buffer
+ */
+ if ((dhcp_size <= 0) ||
+ ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
+ ((int)sizeof(struct dhcp_msg) < dhcp_size)) {
+#if VERBOSE
+ ALOGD("Malformed Packet");
+#endif
+ return -1;
+ }
saddr = packet.ip.saddr;
daddr = packet.ip.daddr;
nread = ntohs(packet.ip.tot_len);
diff --git a/libziparchive/zip_archive_test.cc b/libziparchive/zip_archive_test.cc
index ad673dc..ff73eb2 100644
--- a/libziparchive/zip_archive_test.cc
+++ b/libziparchive/zip_archive_test.cc
@@ -643,6 +643,55 @@
ASSERT_STREQ("I/O error", ErrorCodeString(kIoError));
}
+// A zip file whose local file header at offset zero is corrupted.
+//
+// ---------------
+// cat foo > a.txt
+// zip a.zip a.txt
+// cat a.zip | xxd -i
+//
+// Manual changes :
+// [2] = 0xff // Corrupt the LFH signature of entry 0.
+// [3] = 0xff // Corrupt the LFH signature of entry 0.
+static const std::vector<uint8_t> kZipFileWithBrokenLfhSignature{
+ //[lfh-sig-----------], [lfh contents---------------------------------
+ 0x50, 0x4b, 0xff, 0xff, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80,
+ //--------------------------------------------------------------------
+ 0x09, 0x4b, 0xa8, 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
+ //-------------------------------] [file-name-----------------], [---
+ 0x00, 0x00, 0x05, 0x00, 0x1c, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55,
+ // entry-contents------------------------------------------------------
+ 0x54, 0x09, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x51, 0x24, 0x8b, 0x59,
+ //--------------------------------------------------------------------
+ 0x75, 0x78, 0x0b, 0x00, 0x01, 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88,
+ //-------------------------------------], [cd-record-sig-------], [---
+ 0x13, 0x00, 0x00, 0x66, 0x6f, 0x6f, 0x0a, 0x50, 0x4b, 0x01, 0x02, 0x1e,
+ // cd-record-----------------------------------------------------------
+ 0x03, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80, 0x09, 0x4b, 0xa8,
+ //--------------------------------------------------------------------
+ 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05,
+ //--------------------------------------------------------------------
+ 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0,
+ //-] [lfh-file-header-off-], [file-name-----------------], [extra----
+ 0x81, 0x00, 0x00, 0x00, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55, 0x54,
+ //--------------------------------------------------------------------
+ 0x05, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x75, 0x78, 0x0b, 0x00, 0x01,
+ //-------------------------------------------------------], [eocd-sig-
+ 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88, 0x13, 0x00, 0x00, 0x50, 0x4b,
+ //-------], [---------------------------------------------------------
+ 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x4b, 0x00,
+ //-------------------------------------------]
+ 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00};
+
+TEST(ziparchive, BrokenLfhSignature) {
+ TemporaryFile tmp_file;
+ ASSERT_NE(-1, tmp_file.fd);
+ ASSERT_TRUE(android::base::WriteFully(tmp_file.fd, &kZipFileWithBrokenLfhSignature[0],
+ kZipFileWithBrokenLfhSignature.size()));
+ ZipArchiveHandle handle;
+ ASSERT_EQ(-1, OpenArchiveFd(tmp_file.fd, "LeadingNonZipBytes", &handle));
+}
+
class VectorReader : public zip_archive::Reader {
public:
VectorReader(const std::vector<uint8_t>& input) : Reader(), input_(input) {}