OSDN > Developer > hafixie93 > Chambre > external-koush-Superuser > Commit

external-koush-Superuser
Fork

Origine de Fork: android-x86 / external-koush-Superuser

R/O
HTTP
SSH
HTTPS

Commit

Tags

Aucun tag

external/koush/Superuser

Commit MetaInfo

Révision	72d541291ef543eec7ab08fd9f3048a4efe2df2e (tree)
l'heure	2013-08-12 10:05:11
Auteur	Koushik Dutta <koushd@gmai...>
Commiter	Koushik Dutta

Message de Log

sanitize inputs. verify mallocs.

Change-Id: If5d7a51ca56c4dba6948d2f405f41721a15a16b6

Change Summary

modified: Superuser/jni/su/daemon.c (diff)

Modification

--- a/Superuser/jni/su/daemon.c

+++ b/Superuser/jni/su/daemon.c

		@@ -45,7 +45,7 @@ int daemon_from_pid = 0;
45	45	static int read_int(int fd) {
46	46	int val;
47	47	int len = read(fd, &val, sizeof(int));
48		- if (len < sizeof(int)) {
	48	+ if (len != sizeof(int)) {
49	49	LOGE("unable to read int");
50	50	exit(-1);
51	51	}

		@@ -62,11 +62,15 @@ static void write_int(int fd, int val) {
62	62
63	63	static char* read_string(int fd) {
64	64	int len = read_int(fd);
65		- if (len > PATH_MAX) {
66		- LOGE("string too long");
	65	+ if (len > PATH_MAX \|\| len < 0) {
	66	+ LOGE("invalid string length %d", len);
67	67	exit(-1);
68	68	}
69	69	char* val = malloc(sizeof(char) * (len + 1));
	70	+ if (val == NULL) {
	71	+ LOGE("unable to malloc string");
	72	+ exit(-1);
	73	+ }
70	74	val[len] = '\0';
71	75	int amount = read(fd, val, len);
72	76	if (amount != len) {

		@@ -131,6 +135,10 @@ static void* pump_thread(void* data) {
131	135	static void pump_async(int input, int output) {
132	136	pthread_t writer;
133	137	int* files = (int)malloc(sizeof(int) 2);
	138	+ if (files == NULL) {
	139	+ LOGE("unable to pump_async");
	140	+ exit(-1);
	141	+ }
134	142	files[0] = input;
135	143	files[1] = output;
136	144	pthread_create(&writer, NULL, pump_thread, files);

		@@ -147,6 +155,10 @@ static int daemon_accept(int fd) {
147	155	daemon_from_pid = read_int(fd);
148	156	LOGD("remote req pid: %d", daemon_from_pid);
149	157	int argc = read_int(fd);
	158	+ if (argc < 0 \|\| argc > 512) {
	159	+ LOGE("unable to allocate args: %d", argc);
	160	+ exit(-1);
	161	+ }
150	162	LOGD("remote args: %d", argc);
151	163	char argv = (char)malloc(sizeof(char) (argc + 1));
152	164	argv[argc] = NULL;