1 /** 2 * Copyright (C) 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #include <hwbinder/Parcel.h> 17 18 using namespace android::hardware; 19 main()20int main() { 21 int32_t numFds = 1; 22 int32_t numInts = 0; 23 android::status_t err = android::NO_ERROR; 24 25 native_handle_t *nativeHandleSend = native_handle_create(numFds, numInts); 26 Parcel *parcel = new Parcel(); 27 err = parcel->writeNativeHandleNoDup(nativeHandleSend); 28 if (err != android::NO_ERROR) { 29 return EXIT_FAILURE; 30 } 31 parcel->setDataPosition(0); 32 33 nativeHandleSend->numInts = 1024; 34 35 const native_handle_t *nativeHandleReceive = nullptr; 36 err = parcel->readNativeHandleNoDup(&nativeHandleReceive); 37 if (err == android::NO_ERROR) { 38 native_handle_t *tempHandle = const_cast<native_handle_t *>(nativeHandleReceive); 39 for (numInts = nativeHandleReceive->numFds; numInts < nativeHandleReceive->numInts; 40 ++numInts) { 41 ++tempHandle->data[numInts]; 42 } 43 } 44 45 // The fix is to validate the nativeHandle size and return an error. Hence 46 // if control reaches here, the patch is present. Return EXIT_SUCCESS 47 delete parcel; 48 native_handle_delete(nativeHandleSend); 49 return EXIT_SUCCESS; 50 } 51