diff options
| author | Spencer Low <CompareAndSwap@gmail.com> | 2015-01-25 17:38:36 -0800 |
|---|---|---|
| committer | Spencer Low <CompareAndSwap@gmail.com> | 2015-01-25 17:38:36 -0800 |
| commit | 943ef23b3de60c92a219e65aee35ae6242a461dc (patch) | |
| tree | 1c960437b2a6ed7862e5f82312988ef921f23a78 /libutils/Threads.cpp | |
| parent | e21d7ae89e91a1f6797b74bf7f744b87eb6d2148 (diff) | |
adbd: tcpip command uses port number from uninitialized memory
If you run `adb tcpip`, adbd tries to process a string of 'tcpip:' using
this code:
} else if(!strncmp(name, "tcpip:", 6)) {
int port;
if (sscanf(name + 6, "%d", &port) == 0) {
port = 0;
}
ret = create_service_thread(restart_tcp_service, (void *) (uintptr_t) port);
If a zero-length string is passed to sscanf(), it returns EOF (-1) which
causes the if statement to skip the block, leaving the port variable
uninitialized.
I found this by running `adb tcpip` and sometimes getting 'invalid port'
and sometimes a device would start listening on a random port number.
The fix is to check the sscanf() return value for the success case (the
number of items successfully parsed), as is already done in other parts
of the adb code. I also fixed-up another instance of the same
code-pattern in services.c.
Change-Id: I8c9c33485ad076828da0ac74f048fdad561669d3
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Diffstat (limited to 'libutils/Threads.cpp')
0 files changed, 0 insertions, 0 deletions