ipc: HWBinders: Add check for OOB read and sanitize value of size.
In ipc_agm_session_write_datapath_params add check for OOB read
and sanitize value of size to verify that it matches
the size of buffer
Change-Id: Ic13ff9d7e20d15fb5f2e351984e7a6681efe5d87
diff --git a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
index ccf047e..662aa1d 100644
--- a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
+++ b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
@@ -28,7 +28,7 @@
* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Changes from Qualcomm Innovation Center are provided under the following license:
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted (subject to the limitations in the
@@ -1626,18 +1626,26 @@
buf.addr = nullptr;
buf.metadata = nullptr;
- bufSize = buff_hidl.data()->size;
+ if (1 != buff_hidl.size()) {
+ ALOGE("%s: buff_hidl size is not equal to 1.", __func__);
+ goto exit;
+ }
+ bufSize = buff_hidl[0].size;
buf.addr = (uint8_t *)calloc(1, bufSize);
if (!buf.addr) {
ALOGE("%s: failed to calloc", __func__);
goto exit;
}
+ if (bufSize != buff_hidl[0].buffer.size()) {
+ ALOGE("%s: Invalid buffer vector size", __func__);
+ goto exit;
+ }
buf.size = (size_t)bufSize;
- buf.timestamp = buff_hidl.data()->timestamp;
- buf.flags = buff_hidl.data()->flags;
+ buf.timestamp = buff_hidl[0].timestamp;
+ buf.flags = buff_hidl[0].flags;
if (bufSize)
- memcpy(buf.addr, buff_hidl.data()->buffer.data(), bufSize);
+ memcpy(buf.addr, buff_hidl[0].buffer.data(), bufSize);
else {
ALOGE("%s: buf size is null", __func__);
goto exit;