Merge "Prevent OOBR in NxpNfc::ioctl" into qt-qpr1-dev

author: TreeHugger Robot <treehugger-gerrit@google.com> 2020-03-25 22:18:34 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2020-03-25 22:18:34 +0000
commit: 1f119ee6542ca119eadb5b0a4a9689583dc50b38 (patch)
tree: b6bd8bf16485028d77bae08904195b9230c331bf
parent: 9e2d8a17571c6a62cc6db669e51147582632bb0b (diff)
parent: 6ece5eb6ee400b4b263ab9409b92527f21fb063a (diff)
download: android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.tar.gz
android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.tar.bz2
android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/extns/impl/NxpNfc.cpp b/extns/impl/NxpNfc.cpp
index 955499f..3aab2a9 100755
--- a/extns/impl/NxpNfc.cpp
+++ b/extns/impl/NxpNfc.cpp
@@ -38,6 +38,10 @@ Return<void> NxpNfc::ioctl(uint64_t ioctlType,
   nfc_nci_IoctlInOutData_t* pInOutData =
       (nfc_nci_IoctlInOutData_t*)&inOutData[0];
 
+  if (inOutData.size() < sizeof (nfc_nci_IoctlInOutData_t)) {
+    ALOGE("%s invalid inOutData size, size = %d", __func__, (int)inOutData.size());
+    return Void();
+  }
   /*data from proxy->stub is copied to local data which can be updated by
    * underlying HAL implementation since its an inout argument*/
   memcpy(&inpOutData, pInOutData, sizeof(nfc_nci_IoctlInOutData_t));
author	TreeHugger Robot <treehugger-gerrit@google.com>	2020-03-25 22:18:34 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2020-03-25 22:18:34 +0000
commit	1f119ee6542ca119eadb5b0a4a9689583dc50b38 (patch)
tree	b6bd8bf16485028d77bae08904195b9230c331bf
parent	9e2d8a17571c6a62cc6db669e51147582632bb0b (diff)
parent	6ece5eb6ee400b4b263ab9409b92527f21fb063a (diff)
download	android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.tar.gz android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.tar.bz2 android_hardware_nxp_nfc-1f119ee6542ca119eadb5b0a4a9689583dc50b38.zip