From 3724bbcbe99cbe6d3697d19e5d1658838da3a179 Mon Sep 17 00:00:00 2001 From: Keith Mok Date: Thu, 30 Dec 2021 20:08:04 +0000 Subject: [PATCH] Fix userspace fastboot with fuzzy test Add more checking for fastboot to detect malformed requests. Such as checking no control characters in the command send from host. Make sure the download command length is eight bytes. And report FAIL if download length is zero. Test: adb reboot fastboot fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid1 fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid2 fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid7 fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid8 Bug: 212628476 Change-Id: I750174205377395b5328923fb00462d078f3310d --- fastboot/device/commands.cpp | 8 ++++++++ fastboot/device/fastboot_device.cpp | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/fastboot/device/commands.cpp b/fastboot/device/commands.cpp index 4042531e5..b9f6c973c 100644 --- a/fastboot/device/commands.cpp +++ b/fastboot/device/commands.cpp @@ -268,10 +268,18 @@ bool DownloadHandler(FastbootDevice* device, const std::vector& arg } // arg[0] is the command name, arg[1] contains size of data to be downloaded + // which should always be 8 bytes + if (args[1].length() != 8) { + return device->WriteStatus(FastbootResult::FAIL, + "Invalid size (length of size != 8)"); + } unsigned int size; if (!android::base::ParseUint("0x" + args[1], &size, kMaxDownloadSizeDefault)) { return device->WriteStatus(FastbootResult::FAIL, "Invalid size"); } + if (size == 0) { + return device->WriteStatus(FastbootResult::FAIL, "Invalid size (0)"); + } device->download_data().resize(size); if (!device->WriteStatus(FastbootResult::DATA, android::base::StringPrintf("%08x", size))) { return false; diff --git a/fastboot/device/fastboot_device.cpp b/fastboot/device/fastboot_device.cpp index e6a834e59..ae225debc 100644 --- a/fastboot/device/fastboot_device.cpp +++ b/fastboot/device/fastboot_device.cpp @@ -186,6 +186,11 @@ void FastbootDevice::ExecuteCommands() { PLOG(ERROR) << "Couldn't read command"; return; } + if (std::count_if(command, command + bytes_read, iscntrl) != 0) { + WriteStatus(FastbootResult::FAIL, + "Command contains control character"); + continue; + } command[bytes_read] = '\0'; LOG(INFO) << "Fastboot command: " << command;