ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

metrics: Add a check for abnormally small messages to prevent crashes

Browse source 
In some situations the |message_size| read from |fd| comes up as 0. In this
case we try to read a negative size for the message body and this leads for
crashes. Add a check to make sure that message_size is at least 4 bytes long
to account for the required 32-bit integer message size field.

BUG=chrome-os-partner:40711
TEST=`FEATURES=test emerge-link metrics`

Change-Id: Ie9adbc8e0e6a9f2c80450bf7ebcb3e05ad1f1f8e
Reviewed-on: https://chromium-review.googlesource.com/276362
Trybot-Ready: Alex Vakulenko <avakulenko@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Bertrand Simonnet <bsimonnet@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
This commit is contained in:
Alex Vakulenko 2015-06-09 10:09:44 -07:00 committed by ChromeOS Commit Bot
parent ba08992d1e
commit ef31bec13e
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
metrics/serialization/serialization_utils.cc
View file

@ -36,7 +36,8 @@ bool ReadMessage(int fd, std::string* message) {
CHECK(message);
int result;
int32 message_size;
int32_t message_size;
const int32_t message_hdr_size = sizeof(message_size);
// The file containing the metrics do not leave the device so the writer and
// the reader will always have the same endianness.
result = HANDLE_EINTR(read(fd, &message_size, sizeof(message_size)));
@ -48,7 +49,7 @@ bool ReadMessage(int fd, std::string* message) {
// This indicates a normal EOF.
return false;
}
if (result < static_cast<int>(sizeof(message_size))) {
if (result < message_hdr_size) {
DLOG(ERROR) << "bad read size " << result << ", expecting "
<< sizeof(message_size);
return false;
@ -68,7 +69,12 @@ bool ReadMessage(int fd, std::string* message) {
return true;
}
message_size -= sizeof(message_size); // The message size includes itself.
if (message_size < message_hdr_size) {
DLOG(ERROR) << "message too short : " << message_size;
return false;
}
message_size -= message_hdr_size; // The message size includes itself.
char buffer[SerializationUtils::kMessageMaxLength];
if (!base::ReadFromFD(fd, buffer, message_size)) {
DPLOG(ERROR) << "reading metrics message body";