Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98e67d35 authored by Christopher Tate's avatar Christopher Tate
Browse files

Don't corrupt parcel when writeFileDescriptor() fails 

We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after.  Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.

Bug 21428802

Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
parent c6f30bde

libs/binder/Parcel.cpp

+8 −7
Original line number Original line Diff line number Diff line
@@ -1013,21 +1013,22 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData) 
restart_write:

restart_write:

        *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;

        *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;





        // Need to write meta-data?

        if (nullMetaData || val.binder != 0) {

            mObjects[mObjectsSize] = mDataPos;

            acquire_object(ProcessState::self(), val, this);

            mObjectsSize++;

        }



        // remember if it's a file descriptor

        // remember if it's a file descriptor

        if (val.type == BINDER_TYPE_FD) {

        if (val.type == BINDER_TYPE_FD) {

            if (!mAllowFds) {

            if (!mAllowFds) {

                // fail before modifying our object index

                return FDS_NOT_ALLOWED;

                return FDS_NOT_ALLOWED;

            }

            }

            mHasFds = mFdsKnown = true;

            mHasFds = mFdsKnown = true;

        }

        }





        // Need to write meta-data?

        if (nullMetaData || val.binder != 0) {

            mObjects[mObjectsSize] = mDataPos;

            acquire_object(ProcessState::self(), val, this);

            mObjectsSize++;

        }



        return finishWrite(sizeof(flat_binder_object));

        return finishWrite(sizeof(flat_binder_object));

    }

    }