diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index ed5b4b8a67ae4a6b03b0169ce9960e1138078c5d..b6d8e614f6bfb18faf0907693d149c16f04181ae 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -24,6 +24,8 @@ typedef unsigned int AccessTokenAttr; static const int DEFAULT_TOKEN_VERSION = 1; static const int DEFAULT_PERMISSION_FLAGS = 0; static const int FIRSTCALLER_TOKENID_DEFAULT = 0; +static const int MAX_PERMISSION_SIZE = 1000; +static const int MAX_NATIVE_TOKEN_INFO_SIZE = 20480; enum AccessTokenKitRet { RET_FAILED = -1, diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp index e3a7b7a399f548866a75fc5315e5a2a79c52d23d..28c68a9abe52c63381a09ad380010f264e8cfcaf 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp @@ -158,6 +158,10 @@ int AccessTokenManagerProxy::GetDefPermissions(AccessTokenID tokenID, } int32_t size = reply.ReadInt32(); + if (size > MAX_PERMISSION_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "size = %{public}d get from request is invalid", size); + return RET_FAILED; + } for (int i = 0; i < size; i++) { sptr permissionDef = reply.ReadParcelable(); if (permissionDef != nullptr) { @@ -198,6 +202,10 @@ int AccessTokenManagerProxy::GetReqPermissions( } int32_t size = reply.ReadInt32(); + if (size > MAX_PERMISSION_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "size = %{public}d get from request is invalid", size); + return RET_FAILED; + } for (int i = 0; i < size; i++) { sptr permissionReq = reply.ReadParcelable(); if (permissionReq != nullptr) { @@ -748,6 +756,10 @@ int AccessTokenManagerProxy::GetAllNativeTokenInfo(std::vector MAX_NATIVE_TOKEN_INFO_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "size = %{public}d get from request is invalid", size); + return RET_FAILED; + } for (int i = 0; i < size; i++) { sptr nativeResult = reply.ReadParcelable(); if (nativeResult != nullptr) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index a48dbd371069759aee0e15fa9eab1d492929ec1b..c325c1c664e3bc9826aaace3d9ca0f74f1987e89 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -119,6 +119,11 @@ void AccessTokenManagerStub::GetSelfPermissionsStateInner(MessageParcel& data, M std::vector permList; uint32_t size = data.ReadUint32(); ACCESSTOKEN_LOG_INFO(LABEL, "permList size read from client data is %{public}d.", size); + if (size > MAX_PERMISSION_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "permList size %{public}d is invalid", size); + reply.WriteInt32(INVALID_OPER); + return; + } for (uint32_t i = 0; i < size; i++) { sptr permissionParcel = data.ReadParcelable(); if (permissionParcel != nullptr) { @@ -206,7 +211,11 @@ void AccessTokenManagerStub::AllocHapTokenInner(MessageParcel& data, MessageParc sptr hapInfoParcel = data.ReadParcelable(); sptr hapPolicyParcel = data.ReadParcelable(); - + if (hapInfoParcel == nullptr || hapPolicyParcel == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "read hapPolicyParcel or hapInfoParcel fail"); + reply.WriteInt32(RET_FAILED); + return; + } res = this->AllocHapToken(*hapInfoParcel, *hapPolicyParcel); reply.WriteUint64(res.tokenIDEx); } @@ -267,14 +276,18 @@ void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, Message void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessageParcel& reply) { if (!IsAuthorizedCalling()) { - ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, permission denied", __func__); + ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; } AccessTokenID tokenID = data.ReadUint32(); std::string appIDDesc = data.ReadString(); sptr policyParcel = data.ReadParcelable(); - + if (policyParcel == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "policyParcel read faild"); + reply.WriteInt32(RET_FAILED); + return; + } int32_t result = this->UpdateHapToken(tokenID, appIDDesc, *policyParcel); reply.WriteInt32(result); } @@ -349,6 +362,11 @@ void AccessTokenManagerStub::SetRemoteHapTokenInfoInner(MessageParcel& data, Mes } std::string deviceID = data.ReadString(); sptr hapTokenParcel = data.ReadParcelable(); + if (hapTokenParcel == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "hapTokenParcel read faild"); + reply.WriteInt32(RET_FAILED); + return; + } int result = this->SetRemoteHapTokenInfo(deviceID, *hapTokenParcel); reply.WriteInt32(result); } @@ -364,9 +382,18 @@ void AccessTokenManagerStub::SetRemoteNativeTokenInfoInner(MessageParcel& data, std::vector nativeTokenInfoParcel; uint32_t size = data.ReadUint32(); - + if (size > MAX_NATIVE_TOKEN_INFO_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "size %{public}u is invalid", size); + reply.WriteInt32(RET_FAILED); + return; + } for (uint32_t i = 0; i < size; i++) { sptr nativeParcel = data.ReadParcelable(); + if (nativeParcel == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "nativeParcel read faild"); + reply.WriteInt32(RET_FAILED); + return; + } nativeTokenInfoParcel.emplace_back(*nativeParcel); }