From 05c2de4c688ef34c80dc6df249acf0e661d5f23d Mon Sep 17 00:00:00 2001 From: Ayke van Laethem Date: Fri, 2 Jun 2017 00:19:27 +0200 Subject: Fix various memory errors There were a few memory errors while restoring a backup via adb (created using `adb backup --twrp`). On my device (S5 mini) it resulted in this error message: FORTIFY: strlen: prevented read past end of buffer This commit fixes this issue and a few other potential issues. Change-Id: I5022c94c961217238b3fefec0b2c4b8c6fa26ec7 --- adbbu/twadbstream.h | 5 +++++ adbbu/twrpback.cpp | 29 ++++++++++++++++++----------- 2 files changed, 23 insertions(+), 11 deletions(-) (limited to 'adbbu') diff --git a/adbbu/twadbstream.h b/adbbu/twadbstream.h index 23d4a1fea..5fa6bde5d 100644 --- a/adbbu/twadbstream.h +++ b/adbbu/twadbstream.h @@ -65,6 +65,11 @@ struct AdbBackupControlType { char type[16]; //stores the type of command, TWENDADB, TWCNT, TWEOF, TWMD5, TWDATA and TWERROR uint32_t crc; //stores the zlib 32 bit crc of the AdbBackupControlType struct to allow for making sure we are processing metadata char space[484]; //stores space to align the struct to 512 bytes + + //return a C++ string while not reading outside the type char array + std::string get_type() { + return std::string(type, strnlen(type, sizeof(type)-1)); + } }; //general info for file metadata stored in adb backup header diff --git a/adbbu/twrpback.cpp b/adbbu/twrpback.cpp index c59fd1cda..d9b973bcc 100644 --- a/adbbu/twrpback.cpp +++ b/adbbu/twrpback.cpp @@ -133,7 +133,12 @@ int twrpback::backup(std::string command) { } } - sprintf(operation, "adbbackup %s", command.c_str()); + memset(operation, 0, sizeof(operation)); + if (snprintf(operation, sizeof(operation), "adbbackup %s", command.c_str()) >= sizeof(operation)) { + adblogwrite("Operation too big to write to ORS_INPUT_FILE\n"); + close_backup_fds(); + return -1; + } if (write(write_fd, operation, sizeof(operation)) != sizeof(operation)) { adblogwrite("Unable to write to ORS_INPUT_FILE\n"); close_backup_fds(); @@ -173,8 +178,7 @@ int twrpback::backup(std::string command) { struct AdbBackupControlType structcmd; memcpy(&structcmd, cmd, sizeof(cmd)); - std::string cmdstr(structcmd.type); - std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1); + std::string cmdtype = structcmd.get_type(); //we received an error, exit and unlink if (cmdtype == TWERROR) { @@ -396,7 +400,6 @@ int twrpback::backup(std::string command) { int twrpback::restore(void) { twrpDigest adb_md5; - char cmd[MAX_ADB_READ]; char result[MAX_ADB_READ]; struct AdbBackupControlType structcmd; int adb_control_twrp_fd, errctr = 0; @@ -436,6 +439,7 @@ int twrpback::restore(void) { } } + memset(operation, 0, sizeof(operation)); sprintf(operation, "adbrestore"); if (write(write_fd, operation, sizeof(operation)) != sizeof(operation)) { adblogwrite("Unable to write to ORS_INPUT_FILE\n"); @@ -489,8 +493,7 @@ int twrpback::restore(void) { if (read(adb_control_bu_fd, &cmd, sizeof(cmd)) > 0) { struct AdbBackupControlType structcmd; memcpy(&structcmd, cmd, sizeof(cmd)); - std::string cmdstr(structcmd.type); - std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1); + std::string cmdtype = structcmd.get_type(); //If we receive TWEOF from TWRP close adb data fifo if (cmdtype == TWEOF) { @@ -516,13 +519,11 @@ int twrpback::restore(void) { } //If we should read from the adb stream, write commands and data to TWRP if (read_from_adb) { - std::string cmdstr; int readbytes; if ((readbytes = fread(result, 1, sizeof(result), adbd_fp)) == sizeof(result)) { totalbytes += readbytes; memcpy(&structcmd, result, sizeof(result)); - cmdstr = structcmd.type; - std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1); + std::string cmdtype = structcmd.get_type(); //Tell TWRP we have read the entire adb stream if (cmdtype == TWENDADB) { @@ -663,9 +664,9 @@ int twrpback::restore(void) { } totalbytes += readbytes; memcpy(&structcmd, result, sizeof(result)); - cmdstr = structcmd.type; + std::string cmdtype = structcmd.get_type(); - if (cmdstr.substr(0, sizeof(MD5TRAILER) - 1) == MD5TRAILER) { + if (cmdtype.substr(0, sizeof(MD5TRAILER) - 1) == MD5TRAILER) { struct AdbBackupFileTrailer md5tr; uint32_t crc, md5trcrc, md5ident, md5identmatch; @@ -778,6 +779,12 @@ int main(int argc, char **argv) { return -1; } + if (argc <= 1) { + tw.adblogwrite("No parameters given, exiting...\n"); + tw.close_restore_fds(); + return -1; + } + command = argv[1]; for (index = 2; index < argc; index++) { command = command + " " + argv[index]; -- cgit v1.2.3