Limit number of keygen args to prevent memory allocation local DOS. Bug: 18340653 Change-Id: I1202d99bb556c8a21741dbffefc07702d9585aaa

commit: 77d71ca20c30a5e7ecfa20980ade9b90cc7ca65c [log] [tgz]
author: Shawn Willden <swillden@google.com> Wed Nov 12 16:45:12 2014 -0700
committer: Shawn Willden <swillden@google.com> Mon Nov 24 09:25:51 2014 -0700
tree: 165c429336da86e37cd9b4a53562746c844a3996
parent: 6c4a9591dbe74fa8ff5b7df7965231a38be0e94b [diff]
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 40fbe0e..ca97650 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp

@@ -29,6 +29,8 @@
 
 namespace android {
 
+const ssize_t MAX_GENERATE_ARGS = 3;
+
 KeystoreArg::KeystoreArg(const void* data, size_t len)
     : mData(data), mSize(len) {
 }
@@ -769,6 +771,9 @@
             int32_t flags = data.readInt32();
             Vector<sp<KeystoreArg> > args;
             ssize_t numArgs = data.readInt32();
+	    if (numArgs > MAX_GENERATE_ARGS) {
+		return BAD_VALUE;
+	    }
             if (numArgs > 0) {
                 for (size_t i = 0; i < (size_t) numArgs; i++) {
                     ssize_t inSize = data.readInt32();
commit	77d71ca20c30a5e7ecfa20980ade9b90cc7ca65c	[log] [tgz]
author	Shawn Willden <swillden@google.com>	Wed Nov 12 16:45:12 2014 -0700
committer	Shawn Willden <swillden@google.com>	Mon Nov 24 09:25:51 2014 -0700
tree	165c429336da86e37cd9b4a53562746c844a3996
parent	6c4a9591dbe74fa8ff5b7df7965231a38be0e94b [diff]