commit 6306d4192558c56ac130fe6d66fbca227fd137d6
author David 'Digit' Turner <digit@google.com> Mon Jan 17 03:29:04 2011 +0100
committer Nick Kralevich <nnk@google.com> Mon Oct 10 14:26:13 2011 -0700
tree 7d03824244d4d56ad22eace33f998ef1235c32bc
parent beec0066fcef96a8db8347bc0e6967eabca1d299

DO NOT MERGE libsysutils: Fix potential overwrites in FrameworkListener

+ Handle EINTR in read()
Bug: 5438357
Backport from master.

Change-Id: If7d486dd4fb5666ce16ef36dca5f417da23e0b73

libsysutils/src/FrameworkListener.cpp

diff --git a/libsysutils/src/FrameworkListener.cpp b/libsysutils/src/FrameworkListener.cpp
index 640b6df..d7fd025 100644
--- a/libsysutils/src/FrameworkListener.cpp
+++ b/libsysutils/src/FrameworkListener.cpp
@@ -33,7 +33,8 @@
     char buffer[255];
     int len;
 
-    if ((len = read(c->getSocket(), buffer, sizeof(buffer) -1)) < 0) {
+    len = TEMP_FAILURE_RETRY(read(c->getSocket(), buffer, sizeof(buffer)));
+    if (len < 0) {
         SLOGE("read() failed (%s)", strerror(errno));
         return false;
     } else if (!len)
@@ -44,6 +45,7 @@
 
     for (i = 0; i < len; i++) {
         if (buffer[i] == '\0') {
+            /* IMPORTANT: dispatchCommand() expects a zero-terminated string */
             dispatchCommand(c, buffer + offset);
             offset = i + 1;
         }
@@ -62,6 +64,7 @@
     char tmp[255];
     char *p = data;
     char *q = tmp;
+    char *qlimit = tmp + sizeof(tmp) - 1;
     bool esc = false;
     bool quote = false;
     int k;
@@ -71,6 +74,8 @@
     while(*p) {
         if (*p == '\\') {
             if (esc) {
+                if (q >= qlimit)
+                    goto overflow;
                 *q++ = '\\';
                 esc = false;
             } else
@@ -78,11 +83,15 @@
             p++;
             continue;
         } else if (esc) {
-            if (*p == '"')
+            if (*p == '"') {
+                if (q >= qlimit)
+                    goto overflow;
                 *q++ = '"';
-            else if (*p == '\\')
+            } else if (*p == '\\') {
+                if (q >= qlimit)
+                    goto overflow;
                 *q++ = '\\';
-            else {
+            } else {
                 cli->sendMsg(500, "Unsupported escape sequence", false);
                 goto out;
             }
@@ -100,9 +109,13 @@
             continue;
         }
 
+        if (q >= qlimit)
+            goto overflow;
         *q = *p++;
         if (!quote && *q == ' ') {
             *q = '\0';
+            if (argc >= CMD_ARGS_MAX)
+                goto overflow;
             argv[argc++] = strdup(tmp);
             memset(tmp, 0, sizeof(tmp));
             q = tmp;
@@ -111,6 +124,9 @@
         q++;
     }
 
+    *q = '\0';
+    if (argc >= CMD_ARGS_MAX)
+        goto overflow;
     argv[argc++] = strdup(tmp);
 #if 0
     for (k = 0; k < argc; k++) {
@@ -122,7 +138,7 @@
         cli->sendMsg(500, "Unclosed quotes error", false);
         goto out;
     }
-    
+
     for (i = mCommands->begin(); i != mCommands->end(); ++i) {
         FrameworkCommand *c = *i;
 
@@ -140,4 +156,8 @@
     for (j = 0; j < argc; j++)
         free(argv[j]);
     return;
+
+overflow:
+    cli->sendMsg(500, "Command too long", false);
+    goto out;
 }