Loading libs/binder/RpcState.cpp +20 −6 Original line number Diff line number Diff line Loading @@ -648,14 +648,21 @@ status_t RpcState::waitForReply(const sp<RpcSession::RpcConnection>& connection, Span<const uint32_t> objectTableSpan; if (session->getProtocolVersion().value() >= RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) { Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(rpcReply.parcelDataSize); std::optional<Span<const uint8_t>> objectTableBytes = parcelSpan.splitOff(rpcReply.parcelDataSize); if (!objectTableBytes.has_value()) { ALOGE("Parcel size larger than available bytes: %" PRId32 " vs %zu. Terminating!", rpcReply.parcelDataSize, parcelSpan.byteSize()); (void)session->shutdownAndWait(false); return BAD_VALUE; } std::optional<Span<const uint32_t>> maybeSpan = objectTableBytes.reinterpret<const uint32_t>(); objectTableBytes->reinterpret<const uint32_t>(); if (!maybeSpan.has_value()) { ALOGE("Bad object table size inferred from RpcWireReply. Saw bodySize=%" PRId32 " sizeofHeader=%zu parcelSize=%" PRId32 " objectTableBytesSize=%zu. Terminating!", command.bodySize, rpcReplyWireSize, rpcReply.parcelDataSize, objectTableBytes.size); objectTableBytes->size); return BAD_VALUE; } objectTableSpan = *maybeSpan; Loading Loading @@ -898,15 +905,22 @@ processTransactInternalTailCall: Span<const uint32_t> objectTableSpan; if (session->getProtocolVersion().value() > RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) { Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(transaction->parcelDataSize); std::optional<Span<const uint8_t>> objectTableBytes = parcelSpan.splitOff(transaction->parcelDataSize); if (!objectTableBytes.has_value()) { ALOGE("Parcel size (%" PRId32 ") greater than available bytes (%zu). Terminating!", transaction->parcelDataSize, parcelSpan.byteSize()); (void)session->shutdownAndWait(false); return BAD_VALUE; } std::optional<Span<const uint32_t>> maybeSpan = objectTableBytes.reinterpret<const uint32_t>(); objectTableBytes->reinterpret<const uint32_t>(); if (!maybeSpan.has_value()) { ALOGE("Bad object table size inferred from RpcWireTransaction. Saw bodySize=%zu " "sizeofHeader=%zu parcelSize=%" PRId32 " objectTableBytesSize=%zu. Terminating!", transactionData.size(), sizeof(RpcWireTransaction), transaction->parcelDataSize, objectTableBytes.size); transaction->parcelDataSize, objectTableBytes->size); return BAD_VALUE; } objectTableSpan = *maybeSpan; Loading libs/binder/Utils.h +5 −3 Original line number Diff line number Diff line Loading @@ -48,9 +48,11 @@ struct Span { // Truncates `this` to a length of `offset` and returns a span with the // remainder. // // Aborts if offset > size. Span<T> splitOff(size_t offset) { LOG_ALWAYS_FATAL_IF(offset > size); // `std::nullopt` iff offset > size. std::optional<Span<T>> splitOff(size_t offset) { if (offset > size) { return std::nullopt; } Span<T> rest = {data + offset, size - offset}; size = offset; return rest; Loading Loading
libs/binder/RpcState.cpp +20 −6 Original line number Diff line number Diff line Loading @@ -648,14 +648,21 @@ status_t RpcState::waitForReply(const sp<RpcSession::RpcConnection>& connection, Span<const uint32_t> objectTableSpan; if (session->getProtocolVersion().value() >= RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) { Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(rpcReply.parcelDataSize); std::optional<Span<const uint8_t>> objectTableBytes = parcelSpan.splitOff(rpcReply.parcelDataSize); if (!objectTableBytes.has_value()) { ALOGE("Parcel size larger than available bytes: %" PRId32 " vs %zu. Terminating!", rpcReply.parcelDataSize, parcelSpan.byteSize()); (void)session->shutdownAndWait(false); return BAD_VALUE; } std::optional<Span<const uint32_t>> maybeSpan = objectTableBytes.reinterpret<const uint32_t>(); objectTableBytes->reinterpret<const uint32_t>(); if (!maybeSpan.has_value()) { ALOGE("Bad object table size inferred from RpcWireReply. Saw bodySize=%" PRId32 " sizeofHeader=%zu parcelSize=%" PRId32 " objectTableBytesSize=%zu. Terminating!", command.bodySize, rpcReplyWireSize, rpcReply.parcelDataSize, objectTableBytes.size); objectTableBytes->size); return BAD_VALUE; } objectTableSpan = *maybeSpan; Loading Loading @@ -898,15 +905,22 @@ processTransactInternalTailCall: Span<const uint32_t> objectTableSpan; if (session->getProtocolVersion().value() > RPC_WIRE_PROTOCOL_VERSION_RPC_HEADER_FEATURE_EXPLICIT_PARCEL_SIZE) { Span<const uint8_t> objectTableBytes = parcelSpan.splitOff(transaction->parcelDataSize); std::optional<Span<const uint8_t>> objectTableBytes = parcelSpan.splitOff(transaction->parcelDataSize); if (!objectTableBytes.has_value()) { ALOGE("Parcel size (%" PRId32 ") greater than available bytes (%zu). Terminating!", transaction->parcelDataSize, parcelSpan.byteSize()); (void)session->shutdownAndWait(false); return BAD_VALUE; } std::optional<Span<const uint32_t>> maybeSpan = objectTableBytes.reinterpret<const uint32_t>(); objectTableBytes->reinterpret<const uint32_t>(); if (!maybeSpan.has_value()) { ALOGE("Bad object table size inferred from RpcWireTransaction. Saw bodySize=%zu " "sizeofHeader=%zu parcelSize=%" PRId32 " objectTableBytesSize=%zu. Terminating!", transactionData.size(), sizeof(RpcWireTransaction), transaction->parcelDataSize, objectTableBytes.size); transaction->parcelDataSize, objectTableBytes->size); return BAD_VALUE; } objectTableSpan = *maybeSpan; Loading
libs/binder/Utils.h +5 −3 Original line number Diff line number Diff line Loading @@ -48,9 +48,11 @@ struct Span { // Truncates `this` to a length of `offset` and returns a span with the // remainder. // // Aborts if offset > size. Span<T> splitOff(size_t offset) { LOG_ALWAYS_FATAL_IF(offset > size); // `std::nullopt` iff offset > size. std::optional<Span<T>> splitOff(size_t offset) { if (offset > size) { return std::nullopt; } Span<T> rest = {data + offset, size - offset}; size = offset; return rest; Loading
