Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 132d5bfb authored by Steven Moreland's avatar Steven Moreland
Browse files

libbinder: RPC reject excess threads 

Existing code allows arbitrarily many threads to be attached to a
session, even though the server specifies a maximum.

Bug: 189955605
Test: binderRpcTest (it's not possible to exploit this with existing
    APIs)
Change-Id: I674f1cef759ae1c4fa7d0c27bbd8f8714f7c16ed
parent a588da3e

libs/binder/RpcSession.cpp

+6 −0
Original line number Diff line number Diff line
@@ -629,6 +629,12 @@ bool RpcSession::setForServer(const wp<RpcServer>& server, const wp<EventListene 
sp<RpcSession::RpcConnection> RpcSession::assignIncomingConnectionToThisThread(unique_fd fd) {

    std::lock_guard<std::mutex> _l(mMutex);



    if (mIncomingConnections.size() >= mMaxThreads) {

        ALOGE("Cannot add thread to session with %zu threads (max is set to %zu)",

              mIncomingConnections.size(), mMaxThreads);

        return nullptr;

    }



    // Don't accept any more connections, some have shutdown. Usually this

    // happens when new connections are still being established as part of a

    // very short-lived session which shuts down after it already started