commit 3724bbcbe99cbe6d3697d19e5d1658838da3a179
author Keith Mok <keithmok@google.com> Thu Dec 30 20:08:04 2021 +0000
committer Keith Mok <keithmok@google.com> Tue Jan 04 19:24:23 2022 +0000
tree a0c73f522bdcc599e8797187e1281aa3a6f0f83a
parent 921ad28a30fc9f0716c32e4c85e68f747b79a14a

Fix userspace fastboot with fuzzy test

Add more checking for fastboot to detect malformed
requests.
Such as checking no control characters in the command
send from host.
Make sure the download command length is eight bytes.
And report FAIL if download length is zero.

Test: adb reboot fastboot
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid1
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid2
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid7
      fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid8
Bug: 212628476
Change-Id: I750174205377395b5328923fb00462d078f3310d

fastboot/device/commands.cpp

diff --git a/fastboot/device/commands.cpp b/fastboot/device/commands.cpp
index 4042531..b9f6c97 100644
--- a/fastboot/device/commands.cpp
+++ b/fastboot/device/commands.cpp
@@ -268,10 +268,18 @@
     }
 
     // arg[0] is the command name, arg[1] contains size of data to be downloaded
+    // which should always be 8 bytes
+    if (args[1].length() != 8) {
+        return device->WriteStatus(FastbootResult::FAIL,
+                                   "Invalid size (length of size != 8)");
+    }
     unsigned int size;
     if (!android::base::ParseUint("0x" + args[1], &size, kMaxDownloadSizeDefault)) {
         return device->WriteStatus(FastbootResult::FAIL, "Invalid size");
     }
+    if (size == 0) {
+        return device->WriteStatus(FastbootResult::FAIL, "Invalid size (0)");
+    }
     device->download_data().resize(size);
     if (!device->WriteStatus(FastbootResult::DATA, android::base::StringPrintf("%08x", size))) {
         return false;