From 1eeeea111e3764b72c177a5bd46d684d2777d509 Mon Sep 17 00:00:00 2001
From: Simon Fels <morphis@gravedo.de>
Date: Thu, 24 May 2018 15:21:40 +0200
Subject: [PATCH] qemu: fix crash in qemud message process when we don't have
 enough data

---
 src/anbox/qemu/qemud_message_processor.cpp | 28 ++++++++++++++--------
 src/anbox/qemu/qemud_message_processor.h   |  2 +-
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/anbox/qemu/qemud_message_processor.cpp b/src/anbox/qemu/qemud_message_processor.cpp
index b47f078..c056447 100644
--- a/src/anbox/qemu/qemud_message_processor.cpp
+++ b/src/anbox/qemu/qemud_message_processor.cpp
@@ -23,7 +23,7 @@
 
 namespace {
 static constexpr const long header_size{4};
-}
+} // namespace
 
 namespace anbox {
 namespace qemu {
@@ -33,18 +33,17 @@ QemudMessageProcessor::QemudMessageProcessor(
 
 QemudMessageProcessor::~QemudMessageProcessor() {}
 
-bool QemudMessageProcessor::process_data(
-    const std::vector<std::uint8_t> &data) {
-  for (const auto &byte : data) buffer_.push_back(byte);
+bool QemudMessageProcessor::process_data(const std::vector<std::uint8_t> &data) {
+  for (const auto &byte : data)
+    buffer_.push_back(byte);
 
-  process_commands();
-
-  return true;
+  return process_commands();
 }
 
-void QemudMessageProcessor::process_commands() {
+bool QemudMessageProcessor::process_commands() {
   while (true) {
-    if (buffer_.size() < header_size) break;
+    if (buffer_.size() < header_size)
+      break;
 
     char header[header_size] = {0};
     ::memcpy(header, buffer_.data(), header_size);
@@ -52,6 +51,12 @@ void QemudMessageProcessor::process_commands() {
     unsigned int body_size = 0;
     ::sscanf(header, "%04x", &body_size);
 
+    // Double check that we have enough data to ready the whole body. If
+    // not we have to wait until we have everything.
+    size_t total_size = header_size + body_size;
+    if (buffer_.size() < total_size)
+      break;
+
     std::string command;
     // Make sure we only copy as much bytes as we have to and not more
     command.insert(0,
@@ -64,8 +69,11 @@ void QemudMessageProcessor::process_commands() {
     buffer_.erase(buffer_.begin(), buffer_.begin() + consumed);
 
     const auto remaining = buffer_.size() - consumed;
-    if (remaining <= 0) break;
+    if (remaining <= 0)
+      break;
   }
+
+  return true;
 }
 
 void QemudMessageProcessor::send_header(const size_t &size) {
diff --git a/src/anbox/qemu/qemud_message_processor.h b/src/anbox/qemu/qemud_message_processor.h
index e560881..73f199a 100644
--- a/src/anbox/qemu/qemud_message_processor.h
+++ b/src/anbox/qemu/qemud_message_processor.h
@@ -40,7 +40,7 @@ class QemudMessageProcessor : public network::MessageProcessor {
   std::shared_ptr<network::SocketMessenger> messenger_;
 
  private:
-  void process_commands();
+  bool process_commands();
 
   std::vector<std::uint8_t> buffer_;
 };