ISensorServer: validate vector size before setCapacity

If we don't check the size, we can run out of memory. Use the Parcel API that knows about the binder transaction size limits. Test: libsensorserviceaidl_fuzzer Bug: none Change-Id: I2d00e14e8c67e9899532577628c54e9a74f584d7
author: Devin Moore <devinmoore@google.com> 2023-06-06 22:09:02 +0000
committer: Devin Moore <devinmoore@google.com> 2023-06-07 20:15:12 +0000
commit: bdc293ac507b97a23747ff7a736de26c181370c5 (patch)
tree: 66cd0bb1ae003fb863c6746e5d2ed98a4e2722e8
parent: 653739c1583ea7d2a198b74d47bf44eb43cd00fd (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/libs/sensor/ISensorServer.cpp b/libs/sensor/ISensorServer.cpp
index 019d6cb070..634d35a5b8 100644
--- a/libs/sensor/ISensorServer.cpp
+++ b/libs/sensor/ISensorServer.cpp
@@ -64,6 +64,14 @@ public:
         Sensor s;
         Vector<Sensor> v;
         uint32_t n = reply.readUint32();
+        // The size of the n Sensor elements on the wire is what we really want, but
+        // this is better than nothing.
+        if (n > reply.dataAvail()) {
+            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "
+                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",
+                  n, reply.dataAvail());
+            return v;
+        }
         v.setCapacity(n);
         while (n) {
             n--;
@@ -86,6 +94,14 @@ public:
         Sensor s;
         Vector<Sensor> v;
         uint32_t n = reply.readUint32();
+        // The size of the n Sensor elements on the wire is what we really want, but
+        // this is better than nothing.
+        if (n > reply.dataAvail()) {
+            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "
+                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",
+                  n, reply.dataAvail());
+            return v;
+        }
         v.setCapacity(n);
         while (n) {
             n--;
@@ -109,6 +125,14 @@ public:
         Sensor s;
         Vector<Sensor> v;
         uint32_t n = reply.readUint32();
+        // The size of the n Sensor elements on the wire is what we really want, but
+        // this is better than nothing.
+        if (n > reply.dataAvail()) {
+            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "
+                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",
+                  n, reply.dataAvail());
+            return v;
+        }
         v.setCapacity(n);
         while (n) {
             n--;
author	Devin Moore <devinmoore@google.com>	2023-06-06 22:09:02 +0000
committer	Devin Moore <devinmoore@google.com>	2023-06-07 20:15:12 +0000
commit	bdc293ac507b97a23747ff7a736de26c181370c5 (patch)
tree	66cd0bb1ae003fb863c6746e5d2ed98a4e2722e8
parent	653739c1583ea7d2a198b74d47bf44eb43cd00fd (diff)