commit 9d3eb357a2a3a64baa4824d550b5563b3dc0b15a
author Martijn Coenen <maco@google.com> Tue Apr 18 20:28:03 2017 -0700
committer Martijn Coenen <maco@google.com> Thu Apr 27 16:23:50 2017 -0700
tree 406f38b404c8a1eaaae2c712ee4f4bda7b6531dc
parent 08607dcb2119d45381579682f1531e487c9414ad

Validate incoming data properly.

readEmbeddedBuffer() now requires the correct length
of the buffer as an argument.

Modified the readEmbeddedFromParcel() functions to take
a const-reference to the struct the data is embedded in;
the kernel has already fixed up the pointers, we just need
to verify the buffer has the correct size, parent buffer
and offset within that parent buffer.

Bug: 30498700
Test: hidl_test, hidl_test_java, YouTube, Maps, Netflix, Camera
Change-Id: I44d6ca7ef6f252f8154b03ff9914b7db69c70604
Merged-In: I44d6ca7ef6f252f8154b03ff9914b7db69c70604

transport/HidlBinderSupport.cpp

diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index c0601ca..f421953 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp
@@ -33,7 +33,7 @@
 static_assert(hidl_memory::kOffsetOfHandle == 0, "wrong offset");
 static_assert(hidl_memory::kOffsetOfName == 24, "wrong offset");
 
-status_t readEmbeddedFromParcel(hidl_memory * /* memory */,
+status_t readEmbeddedFromParcel(const hidl_memory& memory,
         const Parcel &parcel, size_t parentHandle, size_t parentOffset) {
     const native_handle_t *handle;
     ::android::status_t _hidl_err = parcel.readNullableEmbeddedNativeHandle(
@@ -43,7 +43,7 @@
 
     if (_hidl_err == ::android::OK) {
         _hidl_err = readEmbeddedFromParcel(
-                (hidl_string*) nullptr,
+                memory.name(),
                 parcel,
                 parentHandle,
                 parentOffset + hidl_memory::kOffsetOfName);
@@ -73,14 +73,28 @@
 const size_t hidl_string::kOffsetOfBuffer = offsetof(hidl_string, mBuffer);
 static_assert(hidl_string::kOffsetOfBuffer == 0, "wrong offset");
 
-status_t readEmbeddedFromParcel(hidl_string * /* string */,
+status_t readEmbeddedFromParcel(const hidl_string &string ,
         const Parcel &parcel, size_t parentHandle, size_t parentOffset) {
     const void *out;
-    return parcel.readEmbeddedBuffer(
+
+    status_t status = parcel.readEmbeddedBuffer(
+            string.size() + 1,
             nullptr /* buffer_handle */,
             parentHandle,
             parentOffset + hidl_string::kOffsetOfBuffer,
             &out);
+
+    if (status != OK) {
+        return status;
+    }
+
+    // Always safe to access out[string.size()] because we read size+1 bytes
+    if (static_cast<const char *>(out)[string.size()] != '\0') {
+        ALOGE("Received unterminated hidl_string buffer.");
+        return BAD_VALUE;
+    }
+
+    return OK;
 }
 
 status_t writeEmbeddedToParcel(const hidl_string &string,