From 66e98cf0071d08f71946f05f43c8e7382dd5c266 Mon Sep 17 00:00:00 2001 From: ThePedroo Date: Fri, 8 Nov 2024 17:25:41 -0300 Subject: [PATCH] fix: possible out-of-bounds write; remove: unnecessary logging This commit both fixes a possible out-of-bounds write by using "snprintf" over "sprintf" and also removes a unnecessary logging which was meant to be removed commits ago. --- zygiskd/src/zygiskd.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/zygiskd/src/zygiskd.c b/zygiskd/src/zygiskd.c index c2d1e3c..93338ae 100644 --- a/zygiskd/src/zygiskd.c +++ b/zygiskd/src/zygiskd.c @@ -391,9 +391,10 @@ void zygiskd_start(char *restrict argv[]) { char impl_name[LONGEST_ROOT_IMPL_NAME]; stringify_root_impl_name(impl, impl_name); - struct MsgHead *msg = NULL; - msg = malloc(sizeof(struct MsgHead) + strlen("Root: , Modules: ") + strlen(impl_name) + module_list_len + 1); - msg->length = sprintf(msg->data, "Root: %s, Modules: %s", impl_name, module_list); + size_t msg_length = strlen("Root: , Modules: ") + strlen(impl_name) + module_list_len + 1; + + struct MsgHead *msg = malloc(sizeof(struct MsgHead) + msg_length); + msg->length = snprintf(msg->data, msg_length, "Root: %s, Modules: %s", impl_name, module_list); msg->cmd = DAEMON_SET_INFO; unix_datagram_sendto(CONTROLLER_SOCKET, (void *)msg, sizeof(struct MsgHead) + msg->length); @@ -611,10 +612,10 @@ void zygiskd_start(char *restrict argv[]) { struct Module *module = &context.modules[index]; if (module->companion != -1) { - LOGI(" Polling companion for module \"%s\"\n", module->name); + LOGI(" - Polling companion for module \"%s\"\n", module->name); if (!check_unix_socket(module->companion, false)) { - LOGE(" Poll companion for module \"%s\" crashed\n", module->name); + LOGE(" - Poll companion for module \"%s\" crashed\n", module->name); close(module->companion); module->companion = -1; @@ -625,12 +626,12 @@ void zygiskd_start(char *restrict argv[]) { module->companion = spawn_companion(argv, module->name, module->lib_fd); if (module->companion > 0) { - LOGI(" Spawned companion for \"%s\"\n", module->name); + LOGI(" - Spawned companion for \"%s\"\n", module->name); } else { if (module->companion == -2) { - LOGE(" No companion spawned for \"%s\" because it has no entry.\n", module->name); + LOGE(" - No companion spawned for \"%s\" because it has no entry.\n", module->name); } else { - LOGE(" Failed to spawn companion for \"%s\": %s\n", module->name, strerror(errno)); + LOGE(" - Failed to spawn companion for \"%s\": %s\n", module->name, strerror(errno)); } } } @@ -642,10 +643,10 @@ void zygiskd_start(char *restrict argv[]) { safe. */ if (module->companion != -1) { - LOGI(" Sending companion fd socket of module \"%s\"\n", module->name); + LOGI(" - Sending companion fd socket of module \"%s\"\n", module->name); if (write_fd(module->companion, client_fd) == -1) { - LOGE("Failed to send companion fd socket of module \"%s\"\n", module->name); + LOGE(" - Failed to send companion fd socket of module \"%s\"\n", module->name); ret = write_uint8_t(client_fd, 0); ASSURE_SIZE_WRITE_BREAK("RequestCompanionSocket", "response", ret, sizeof(int)); @@ -664,8 +665,6 @@ void zygiskd_start(char *restrict argv[]) { close(client_fd); } - LOGI("ZD++ RequestCompanionSocket\n"); - break; } case GetModuleDir: {