Merge "libbinder: Don't abort when rpc parcel size is invalid" am: ec602d42c6... (08cec35e) · Commits · e / os / platform_frameworks_native

libs/binder/RpcState.cpp

+20 −6

Original line number	Diff line number	Diff line
		@@ -648,14 +648,21 @@ status_t RpcState::waitForReply(const sp<RpcSession::RpcConnection>& connection,
		Span<const uint32_t> objectTableSpan;
		if (session->getProtocolVersion().value() >=
		RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) {
		Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(rpcReply.parcelDataSize);
		std::optional<Span<const uint8_t>> objectTableBytes =
		parcelSpan.splitOff(rpcReply.parcelDataSize);
		if (!objectTableBytes.has_value()) {
		ALOGE("Parcel size larger than available bytes: %" PRId32 " vs %zu. Terminating!",
		rpcReply.parcelDataSize, parcelSpan.byteSize());
		(void)session->shutdownAndWait(false);
		return BAD_VALUE;
		}
		std::optional<Span<const uint32_t>> maybeSpan =
		objectTableBytes.reinterpret<const uint32_t>();
		objectTableBytes->reinterpret<const uint32_t>();
		if (!maybeSpan.has_value()) {
		ALOGE("Bad object table size inferred from RpcWireReply. Saw bodySize=%" PRId32
		" sizeofHeader=%zu parcelSize=%" PRId32 " objectTableBytesSize=%zu. Terminating!",
		command.bodySize, rpcReplyWireSize, rpcReply.parcelDataSize,
		objectTableBytes.size);
		objectTableBytes->size);
		return BAD_VALUE;
		}
		objectTableSpan = *maybeSpan;
		@@ -898,15 +905,22 @@ processTransactInternalTailCall:
		Span<const uint32_t> objectTableSpan;
		if (session->getProtocolVersion().value() >
		RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) {
		Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(transaction->parcelDataSize);
		std::optional<Span<const uint8_t>> objectTableBytes =
		parcelSpan.splitOff(transaction->parcelDataSize);
		if (!objectTableBytes.has_value()) {
		ALOGE("Parcel size (%" PRId32 ") greater than available bytes (%zu). Terminating!",
		transaction->parcelDataSize, parcelSpan.byteSize());
		(void)session->shutdownAndWait(false);
		return BAD_VALUE;
		}
		std::optional<Span<const uint32_t>> maybeSpan =
		objectTableBytes.reinterpret<const uint32_t>();
		objectTableBytes->reinterpret<const uint32_t>();
		if (!maybeSpan.has_value()) {
		ALOGE("Bad object table size inferred from RpcWireTransaction. Saw bodySize=%zu "
		"sizeofHeader=%zu parcelSize=%" PRId32
		" objectTableBytesSize=%zu. Terminating!",
		transactionData.size(), sizeof(RpcWireTransaction),
		transaction->parcelDataSize, objectTableBytes.size);
		transaction->parcelDataSize, objectTableBytes->size);
		return BAD_VALUE;
		}
		objectTableSpan = *maybeSpan;

libs/binder/Utils.h

+5 −3

Original line number	Diff line number	Diff line
		@@ -48,9 +48,11 @@ struct Span {
		// Truncates `this` to a length of `offset` and returns a span with the
		// remainder.
		//
		// Aborts if offset > size.
		Span<T> splitOff(size_t offset) {
		LOG_ALWAYS_FATAL_IF(offset > size);
		// `std::nullopt` iff offset > size.
		std::optional<Span<T>> splitOff(size_t offset) {
		if (offset > size) {
		return std::nullopt;
		}
		Span<T> rest = {data + offset, size - offset};
		size = offset;
		return rest;