Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / d91285f1666a2bbca9f4d620bbd74ab87632a8c4^! / .
commitd91285f1666a2bbca9f4d620bbd74ab87632a8c4[log] [tgz]
authorRyan Prichard <rprichard@google.com>Tue May 01 18:03:05 2018 -0700
committerRyan Prichard <rprichard@google.com>Tue May 01 18:19:21 2018 -0700
tree8def602a6ddf96c73f971132f87633ff1071bc73
parent5258c2518e582585e1b00097296053b334790d13 [diff]
Fix PROP_FILENAME_MAX overflow handling

Bug: b/79117743
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests
Change-Id: Idd5aa4d195abc13c06d3e5b57aef69a68c2a9a9d

diff --git a/libc/system_properties/context_node.cpp b/libc/system_properties/context_node.cpp
index 5496b5a..d392c0a 100644
--- a/libc/system_properties/context_node.cpp
+++ b/libc/system_properties/context_node.cpp

@@ -51,7 +51,7 @@
 
   char filename[PROP_FILENAME_MAX];
   int len = async_safe_format_buffer(filename, sizeof(filename), "%s/%s", filename_, context_);
-  if (len < 0 || len > PROP_FILENAME_MAX) {
+  if (len < 0 || len >= PROP_FILENAME_MAX) {
     lock_.unlock();
     return false;
   }
@@ -86,7 +86,7 @@
 bool ContextNode::CheckAccess() {
   char filename[PROP_FILENAME_MAX];
   int len = async_safe_format_buffer(filename, sizeof(filename), "%s/%s", filename_, context_);
-  if (len < 0 || len > PROP_FILENAME_MAX) {
+  if (len < 0 || len >= PROP_FILENAME_MAX) {
     return false;
   }
 

diff --git a/libc/system_properties/contexts_serialized.cpp b/libc/system_properties/contexts_serialized.cpp
index 062e8a5..12e9715 100644
--- a/libc/system_properties/contexts_serialized.cpp
+++ b/libc/system_properties/contexts_serialized.cpp

@@ -68,7 +68,7 @@
 bool ContextsSerialized::MapSerialPropertyArea(bool access_rw, bool* fsetxattr_failed) {
   char filename[PROP_FILENAME_MAX];
   int len = async_safe_format_buffer(filename, sizeof(filename), "%s/properties_serial", filename_);
-  if (len < 0 || len > PROP_FILENAME_MAX) {
+  if (len < 0 || len >= PROP_FILENAME_MAX) {
     serial_prop_area_ = nullptr;
     return false;
   }

diff --git a/libc/system_properties/contexts_split.cpp b/libc/system_properties/contexts_split.cpp
index 92baedd..11db7ec 100644
--- a/libc/system_properties/contexts_split.cpp
+++ b/libc/system_properties/contexts_split.cpp

@@ -196,7 +196,7 @@
 bool ContextsSplit::MapSerialPropertyArea(bool access_rw, bool* fsetxattr_failed) {
   char filename[PROP_FILENAME_MAX];
   int len = async_safe_format_buffer(filename, sizeof(filename), "%s/properties_serial", filename_);
-  if (len < 0 || len > PROP_FILENAME_MAX) {
+  if (len < 0 || len >= PROP_FILENAME_MAX) {
     serial_prop_area_ = nullptr;
     return false;
   }

diff --git a/libc/system_properties/system_properties.cpp b/libc/system_properties/system_properties.cpp
index 7c48b8e..d5c3647 100644
--- a/libc/system_properties/system_properties.cpp
+++ b/libc/system_properties/system_properties.cpp

@@ -67,7 +67,7 @@
     return true;
   }
 
-  if (strlen(filename) > PROP_FILENAME_MAX) {
+  if (strlen(filename) >= PROP_FILENAME_MAX) {
     return false;
   }
   strcpy(property_filename_, filename);
@@ -95,7 +95,7 @@
 }
 
 bool SystemProperties::AreaInit(const char* filename, bool* fsetxattr_failed) {
-  if (strlen(filename) > PROP_FILENAME_MAX) {
+  if (strlen(filename) >= PROP_FILENAME_MAX) {
     return false;
   }
   strcpy(property_filename_, filename);