mirror of
https://github.com/skyline-emu/skyline.git
synced 2024-12-23 16:41:51 +01:00
Fix Logger Message OOB Access
Certain titles can submit logs where the last field is one off by the buffer end, the logger loop now considers this and terminates if there isn't enough data left to read the field type and length.
This commit is contained in:
parent
645183c903
commit
1f3519e6e3
@ -8,6 +8,7 @@ namespace skyline::service::lm {
|
|||||||
ILogger::ILogger(const DeviceState &state, ServiceManager &manager) : BaseService(state, manager) {}
|
ILogger::ILogger(const DeviceState &state, ServiceManager &manager) : BaseService(state, manager) {}
|
||||||
|
|
||||||
Result ILogger::Log(type::KSession &session, ipc::IpcRequest &request, ipc::IpcResponse &response) {
|
Result ILogger::Log(type::KSession &session, ipc::IpcRequest &request, ipc::IpcResponse &response) {
|
||||||
|
auto inputBuffer{request.inputBuf.at(0)};
|
||||||
struct Data {
|
struct Data {
|
||||||
u64 pid;
|
u64 pid;
|
||||||
u64 threadContext;
|
u64 threadContext;
|
||||||
@ -15,7 +16,7 @@ namespace skyline::service::lm {
|
|||||||
LogLevel level;
|
LogLevel level;
|
||||||
u8 verbosity;
|
u8 verbosity;
|
||||||
u32 payloadLength;
|
u32 payloadLength;
|
||||||
} &data = request.inputBuf.at(0).as<Data>();
|
} &data = inputBuffer.as<Data>();
|
||||||
|
|
||||||
struct LogMessage {
|
struct LogMessage {
|
||||||
std::string_view message;
|
std::string_view message;
|
||||||
@ -30,10 +31,10 @@ namespace skyline::service::lm {
|
|||||||
} logMessage{};
|
} logMessage{};
|
||||||
|
|
||||||
u64 offset{sizeof(Data)};
|
u64 offset{sizeof(Data)};
|
||||||
while (offset < request.inputBuf[0].size()) {
|
while ((offset + sizeof(LogFieldType) + sizeof(u8)) < inputBuffer.size()) { // The length of the last field sometimes doesn't add up to the buffer size, so we need to terminate the loop when we can't pop the type and length off the buffer
|
||||||
auto fieldType{request.inputBuf[0].subspan(offset++).as<LogFieldType>()};
|
auto fieldType{inputBuffer.subspan(offset++).as<LogFieldType>()};
|
||||||
auto length{request.inputBuf[0].subspan(offset++).as<u8>()};
|
auto length{inputBuffer.subspan(offset++).as<u8>()};
|
||||||
auto object{request.inputBuf[0].subspan(offset, length)};
|
auto object{inputBuffer.subspan(offset, length)};
|
||||||
|
|
||||||
switch (fieldType) {
|
switch (fieldType) {
|
||||||
case LogFieldType::Start:
|
case LogFieldType::Start:
|
||||||
|
Loading…
Reference in New Issue
Block a user