Google Git
Sign in
android/platform/hardware/nxp/nfc/6ece5eb6ee400b4b263ab9409b92527f21fb063a^!/.
commit
6ece5eb6ee400b4b263ab9409b92527f21fb063a
[log] [tgz]
author
Jack Yu <jackcwyu@google.com>
Thu Mar 05 16:15:29 2020 +0800
committer
Jack Yu <jackcwyu@google.com>
Fri Mar 20 11:33:37 2020 +0000
tree
6d13efa39493cff37266f10700795a703947f58d
parent
f384f95bfe983c90d6d549388bbc903ac8f50c3b [diff]
Prevent OOBR in NxpNfc::ioctl

Bug: 139736127
Test: nxp ioctl work
Change-Id: I693f6534ff93ccda9df063d126a24eaddc11856c
(cherry picked from commit 5235b50bae57631d64a9f38627c38a2b1d786519)

diff --git a/extns/impl/NxpNfc.cpp b/extns/impl/NxpNfc.cpp
index 955499f..3aab2a9 100755
--- a/extns/impl/NxpNfc.cpp
+++ b/extns/impl/NxpNfc.cpp

@@ -38,6 +38,10 @@
   nfc_nci_IoctlInOutData_t* pInOutData =
       (nfc_nci_IoctlInOutData_t*)&inOutData[0];
 
+  if (inOutData.size() < sizeof (nfc_nci_IoctlInOutData_t)) {
+    ALOGE("%s invalid inOutData size, size = %d", __func__, (int)inOutData.size());
+    return Void();
+  }
   /*data from proxy->stub is copied to local data which can be updated by
    * underlying HAL implementation since its an inout argument*/
   memcpy(&inpOutData, pInOutData, sizeof(nfc_nci_IoctlInOutData_t));