Merge "Buffer overrun in __android_log_is_loggable() fix"
diff --git a/logd/LogBuffer.cpp b/logd/LogBuffer.cpp
index 7498325..43362fb 100644
--- a/logd/LogBuffer.cpp
+++ b/logd/LogBuffer.cpp
@@ -212,13 +212,19 @@
if (log_id != LOG_ID_SECURITY) {
int prio = ANDROID_LOG_INFO;
const char* tag = nullptr;
+ size_t tag_len = 0;
if (log_id == LOG_ID_EVENTS) {
tag = tagToName(elem->getTag());
+ if (tag) {
+ tag_len = strlen(tag);
+ }
} else {
prio = *msg;
tag = msg + 1;
+ tag_len = strnlen(tag, len - 1);
}
- if (!__android_log_is_loggable(prio, tag, ANDROID_LOG_VERBOSE)) {
+ if (!__android_log_is_loggable_len(prio, tag, tag_len,
+ ANDROID_LOG_VERBOSE)) {
// Log traffic received to total
wrlock();
stats.addTotal(elem);
diff --git a/logd/LogListener.cpp b/logd/LogListener.cpp
index d2df68e..fcf2cd8 100644
--- a/logd/LogListener.cpp
+++ b/logd/LogListener.cpp
@@ -43,9 +43,10 @@
name_set = true;
}
+ // + 1 to ensure null terminator if MAX_PAYLOAD buffer is received
char buffer[sizeof_log_id_t + sizeof(uint16_t) + sizeof(log_time) +
- LOGGER_ENTRY_MAX_PAYLOAD];
- struct iovec iov = { buffer, sizeof(buffer) };
+ LOGGER_ENTRY_MAX_PAYLOAD + 1];
+ struct iovec iov = { buffer, sizeof(buffer) - 1 };
alignas(4) char control[CMSG_SPACE(sizeof(struct ucred))];
struct msghdr hdr = {
@@ -55,13 +56,16 @@
int socket = cli->getSocket();
// To clear the entire buffer is secure/safe, but this contributes to 1.68%
- // overhead under logging load. We are safe because we check counts.
+ // overhead under logging load. We are safe because we check counts, but
+ // still need to clear null terminator
// memset(buffer, 0, sizeof(buffer));
ssize_t n = recvmsg(socket, &hdr, 0);
if (n <= (ssize_t)(sizeof(android_log_header_t))) {
return false;
}
+ buffer[n] = 0;
+
struct ucred* cred = NULL;
struct cmsghdr* cmsg = CMSG_FIRSTHDR(&hdr);