diff options
| author | 2011-01-21 18:08:36 -0800 | |
|---|---|---|
| committer | 2011-05-13 10:57:19 -0700 | |
| commit | f9eb06ca691ed14c8b55840a07333330ae347e22 (patch) | |
| tree | b3f0683382411fa4aac577551e00d563647ee3d9 | |
| parent | f247e545b521584bb778e79710c1e60ab814839e (diff) | |
frameworks/base: Cap the number of toasts that a package can post.
NotificationManagerService keeps track of requested toasts in a
queue. Any package can trigger a DoS by repeated enqueue of
toasts which eventually results in a leak of WeakReferences in
system_server and causes dalvik (hosting system_server) to
abort the same.
Change-Id: I5e23c1bf7e195b07344711d2c6719fa568f2dfaf
| -rwxr-xr-x | services/java/com/android/server/NotificationManagerService.java | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/services/java/com/android/server/NotificationManagerService.java b/services/java/com/android/server/NotificationManagerService.java index 540389e21d84..f5caf7a7e9fc 100755 --- a/services/java/com/android/server/NotificationManagerService.java +++ b/services/java/com/android/server/NotificationManagerService.java @@ -519,6 +519,24 @@ public class NotificationManagerService extends INotificationManager.Stub record = mToastQueue.get(index); record.update(duration); } else { + // Limit the number of toasts that any given package except the android + // package can enqueue. Prevents DOS attacks and deals with leaks. + if (!"android".equals(pkg)) { + int count = 0; + final int N = mToastQueue.size(); + for (int i=0; i<N; i++) { + final ToastRecord r = mToastQueue.get(i); + if (r.pkg.equals(pkg)) { + count++; + if (count >= MAX_PACKAGE_NOTIFICATIONS) { + Slog.e(TAG, "Package has already posted " + count + + " toasts. Not showing more. Package=" + pkg); + return; + } + } + } + } + record = new ToastRecord(callingPid, pkg, callback, duration); mToastQueue.add(record); index = mToastQueue.size() - 1; |