Merge "Address property service DoS."
diff --git a/init/Android.mk b/init/Android.mk
index a10a714..18cbedc 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -123,6 +123,7 @@
LOCAL_MODULE := init_tests
LOCAL_SRC_FILES := \
init_parser_test.cpp \
+ property_service_test.cpp \
util_test.cpp \
LOCAL_SHARED_LIBRARIES += \
diff --git a/init/property_service.cpp b/init/property_service.cpp
index ce197ee..04bcb18 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -245,6 +245,13 @@
return true;
}
+ // http://b/35166374: don't allow init to make arbitrarily large allocations.
+ if (len > 0xffff) {
+ LOG(ERROR) << "sys_prop: RecvString asked to read huge string: " << len;
+ errno = ENOMEM;
+ return false;
+ }
+
std::vector<char> chars(len);
if (!RecvChars(&chars[0], len, timeout_ms)) {
return false;
@@ -386,12 +393,11 @@
return;
}
- /* Check socket options here */
struct ucred cr;
socklen_t cr_size = sizeof(cr);
if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cr, &cr_size) < 0) {
close(s);
- PLOG(ERROR) << "Unable to receive socket options";
+ PLOG(ERROR) << "sys_prop: unable to get SO_PEERCRED";
return;
}
@@ -399,14 +405,13 @@
uint32_t timeout_ms = kDefaultSocketTimeout;
uint32_t cmd = 0;
-
if (!socket.RecvUint32(&cmd, &timeout_ms)) {
PLOG(ERROR) << "sys_prop: error while reading command from the socket";
socket.SendUint32(PROP_ERROR_READ_CMD);
return;
}
- switch(cmd) {
+ switch (cmd) {
case PROP_MSG_SETPROP: {
char prop_name[PROP_NAME_MAX];
char prop_value[PROP_VALUE_MAX];
@@ -437,7 +442,9 @@
handle_property_set(socket, name, value, false);
break;
}
+
default:
+ LOG(ERROR) << "sys_prop: invalid command " << cmd;
socket.SendUint32(PROP_ERROR_INVALID_CMD);
break;
}
diff --git a/init/property_service_test.cpp b/init/property_service_test.cpp
new file mode 100644
index 0000000..4d784aa
--- /dev/null
+++ b/init/property_service_test.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#define _REALLY_INCLUDE_SYS__SYSTEM_PROPERTIES_H_
+#include <sys/_system_properties.h>
+
+#include <gtest/gtest.h>
+
+TEST(property_service, very_long_name_35166374) {
+ // Connect to the property service directly...
+ int fd = socket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_NE(fd, -1);
+
+ static const char* property_service_socket = "/dev/socket/" PROP_SERVICE_NAME;
+ sockaddr_un addr = {};
+ addr.sun_family = AF_LOCAL;
+ strlcpy(addr.sun_path, property_service_socket, sizeof(addr.sun_path));
+
+ socklen_t addr_len = strlen(property_service_socket) + offsetof(sockaddr_un, sun_path) + 1;
+ ASSERT_NE(connect(fd, reinterpret_cast<sockaddr*>(&addr), addr_len), -1);
+
+ // ...so we can send it a malformed request.
+ uint32_t msg = PROP_MSG_SETPROP2;
+ uint32_t size = 0xffffffff;
+ uint32_t data = 0xdeadbeef;
+
+ ASSERT_EQ(static_cast<ssize_t>(sizeof(msg)), send(fd, &msg, sizeof(msg), 0));
+ ASSERT_EQ(static_cast<ssize_t>(sizeof(size)), send(fd, &size, sizeof(size), 0));
+ ASSERT_EQ(static_cast<ssize_t>(sizeof(data)), send(fd, &data, sizeof(data), 0));
+ ASSERT_EQ(0, close(fd));
+}