commit 88007a2e8d27a04f70236cad6fb3c81d69fa8909
author Treehugger Robot <treehugger-gerrit@google.com> Mon Oct 08 20:33:46 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Oct 08 20:33:46 2018 +0000
tree 4c278dad432b054e1ed1c199314bca7ed7feaf75
parent c681a5fe009a8db7727f330ac69639c536ed00de
parent edce82b67c2081654543354d510edb55b436d630

Merge changes Id6c00c76,Ibc74a12f

* changes:
  Check return status of ReadFileToString() in GetDeviceLockStatus()
  Validate partition name when searching for physical partitions.

fastboot/device/utility.cpp

diff --git a/fastboot/device/utility.cpp b/fastboot/device/utility.cpp
index 528abec..b844b9f 100644
--- a/fastboot/device/utility.cpp
+++ b/fastboot/device/utility.cpp
@@ -23,6 +23,7 @@
 
 #include <android-base/file.h>
 #include <android-base/logging.h>
+#include <android-base/strings.h>
 #include <fs_mgr.h>
 #include <fs_mgr_dm_linear.h>
 #include <liblp/liblp.h>
@@ -82,6 +83,10 @@
 }
 
 std::optional<std::string> FindPhysicalPartition(const std::string& name) {
+    // Check for an invalid file name
+    if (android::base::StartsWith(name, "../") || name.find("/../") != std::string::npos) {
+        return {};
+    }
     std::string path = "/dev/block/by-name/" + name;
     if (access(path.c_str(), W_OK) < 0) {
         return {};
@@ -164,6 +169,9 @@
 
 bool GetDeviceLockStatus() {
     std::string cmdline;
-    android::base::ReadFileToString("/proc/cmdline", &cmdline);
+    // Return lock status true if unable to read kernel command line.
+    if (!android::base::ReadFileToString("/proc/cmdline", &cmdline)) {
+        return true;
+    }
     return cmdline.find("androidboot.verifiedbootstate=orange") == std::string::npos;
 }