diff options
author | Christopher Tate <ctate@google.com> | 2015-06-03 18:44:15 -0700 |
---|---|---|
committer | Christopher Tate <ctate@google.com> | 2015-06-08 13:13:19 -0700 |
commit | 98e67d352b8805a868ca0e7c2be3ea830fb7c338 (patch) | |
tree | 55f0942778666611027851e7d4e302fa86acc211 /libs/binder | |
parent | c6f30bdee1f634eb90d68cb76efe935b6535a1e8 (diff) | |
download | frameworks_native-98e67d352b8805a868ca0e7c2be3ea830fb7c338.zip frameworks_native-98e67d352b8805a868ca0e7c2be3ea830fb7c338.tar.gz frameworks_native-98e67d352b8805a868ca0e7c2be3ea830fb7c338.tar.bz2 |
Don't corrupt parcel when writeFileDescriptor() fails
We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after. Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.
Bug 21428802
Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
Diffstat (limited to 'libs/binder')
-rw-r--r-- | libs/binder/Parcel.cpp | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index bae4eb5..2ebf617 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -1013,21 +1013,22 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData) restart_write: *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val; - // Need to write meta-data? - if (nullMetaData || val.binder != 0) { - mObjects[mObjectsSize] = mDataPos; - acquire_object(ProcessState::self(), val, this); - mObjectsSize++; - } - // remember if it's a file descriptor if (val.type == BINDER_TYPE_FD) { if (!mAllowFds) { + // fail before modifying our object index return FDS_NOT_ALLOWED; } mHasFds = mFdsKnown = true; } + // Need to write meta-data? + if (nullMetaData || val.binder != 0) { + mObjects[mObjectsSize] = mDataPos; + acquire_object(ProcessState::self(), val, this); + mObjectsSize++; + } + return finishWrite(sizeof(flat_binder_object)); } |