From f9eb06ca691ed14c8b55840a07333330ae347e22 Mon Sep 17 00:00:00 2001 From: Vairavan Srinivasan Date: Fri, 21 Jan 2011 18:08:36 -0800 Subject: frameworks/base: Cap the number of toasts that a package can post. NotificationManagerService keeps track of requested toasts in a queue. Any package can trigger a DoS by repeated enqueue of toasts which eventually results in a leak of WeakReferences in system_server and causes dalvik (hosting system_server) to abort the same. Change-Id: I5e23c1bf7e195b07344711d2c6719fa568f2dfaf --- .../com/android/server/NotificationManagerService.java | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/services/java/com/android/server/NotificationManagerService.java b/services/java/com/android/server/NotificationManagerService.java index 540389e21d84..f5caf7a7e9fc 100755 --- a/services/java/com/android/server/NotificationManagerService.java +++ b/services/java/com/android/server/NotificationManagerService.java @@ -519,6 +519,24 @@ public class NotificationManagerService extends INotificationManager.Stub record = mToastQueue.get(index); record.update(duration); } else { + // Limit the number of toasts that any given package except the android + // package can enqueue. Prevents DOS attacks and deals with leaks. + if (!"android".equals(pkg)) { + int count = 0; + final int N = mToastQueue.size(); + for (int i=0; i= MAX_PACKAGE_NOTIFICATIONS) { + Slog.e(TAG, "Package has already posted " + count + + " toasts. Not showing more. Package=" + pkg); + return; + } + } + } + } + record = new ToastRecord(callingPid, pkg, callback, duration); mToastQueue.add(record); index = mToastQueue.size() - 1; -- cgit v1.2.3-59-g8ed1b