From 71a33cfa678ddc7704693b45244f3190af1da65d Mon Sep 17 00:00:00 2001
From: Mayank Rana <mrana@quicinc.com>
Date: Fri, 11 Sep 2020 11:40:00 -0700
Subject: [PATCH] adbd: Fix check against valid payload size

block->payload and its size are not valid when it is used to check
against bytes_left due to std::move() performed on its just prior
to the check. Hence check will always fail to detect the case where
received data is more than expected. To detect this condition and
allow error handling with std::move(), remove extra payload variable
and directly use block->payload.

Bug: http://b/168917244
Change-Id: I992bbba9d9a9861a195834f69d62e69b90658210
---
 adb/daemon/usb.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/adb/daemon/usb.cpp b/adb/daemon/usb.cpp
index a66387193..50d73644d 100644
--- a/adb/daemon/usb.cpp
+++ b/adb/daemon/usb.cpp
@@ -584,12 +584,11 @@ struct UsbFfsConnection : public Connection {
                 incoming_header_ = msg;
             } else {
                 size_t bytes_left = incoming_header_->data_length - incoming_payload_.size();
-                Block payload = std::move(block->payload);
                 if (block->payload.size() > bytes_left) {
                     HandleError("received too many bytes while waiting for payload");
                     return false;
                 }
-                incoming_payload_.append(std::move(payload));
+                incoming_payload_.append(std::move(block->payload));
             }
 
             if (incoming_header_->data_length == incoming_payload_.size()) {