pal : in ipc_pal_stream_set_param add checks to avoid OOB To avoid OOB, below changes are done in ipc_pal_stream_set_param, 1. size member of payload vector is not be bigger than size of payload vector 2. paramPayload vector size is checked to be exactly one Change-Id: Id7b4f4f896939bff8c04f65cb8b192990c6ac1be

commit: e4dc6881999df430d99a55e7df77476a4418e456 [log] [tgz]
author: Srinivas Marka <quic_smarka@quicinc.com> Tue Aug 01 15:33:36 2023 +0530
committer: Partha Pratim Barman <quic_pbarman@quicinc.com> Thu Sep 21 23:04:56 2023 +0530
tree: a1fef5b0fbbf75d00377b2ad1796f115f32e1d94
parent: 07d491a722082a6b06934e17af6529863c1e1aa9 [diff]
diff --git a/ipc/HwBinders/pal_ipc_server/src/pal_server_wrapper.cpp b/ipc/HwBinders/pal_ipc_server/src/pal_server_wrapper.cpp
index 1896d31..3381842 100644
--- a/ipc/HwBinders/pal_ipc_server/src/pal_server_wrapper.cpp
+++ b/ipc/HwBinders/pal_ipc_server/src/pal_server_wrapper.cpp

@@ -825,6 +825,14 @@
 {
     int32_t ret = 0;
     pal_param_payload *param_payload;
+    if (1 != paramPayload.size()) {
+        ALOGE("Invalid vector size");
+        return -EINVAL;
+    }
+    if (paramPayload.data()->size > paramPayload.data()->payload.size()) {
+        ALOGE("Invalid payload size");
+        return -EINVAL;
+    }
     param_payload = (pal_param_payload *)calloc (1,
                                     sizeof(pal_param_payload) + paramPayload.data()->size);
     if (!param_payload) {
commit	e4dc6881999df430d99a55e7df77476a4418e456	[log] [tgz]
author	Srinivas Marka <quic_smarka@quicinc.com>	Tue Aug 01 15:33:36 2023 +0530
committer	Partha Pratim Barman <quic_pbarman@quicinc.com>	Thu Sep 21 23:04:56 2023 +0530
tree	a1fef5b0fbbf75d00377b2ad1796f115f32e1d94
parent	07d491a722082a6b06934e17af6529863c1e1aa9 [diff]