Don't corrupt parcel when writeFileDescriptor() fails

We now check for fd-legality before committing binder objects to the flattened data buffer rather than after. Previously we would wind up corrupting the parcel and incurring driver-level errors, as well as potentially leaking FDs. Bug 21428802 Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
2015-06-03 18:44:15 -07:00 · 2015-06-03 18:44:15 -07:00 · 98e67d352b
parent c6f30bdee1
commit 98e67d352b
1 changed files with 9 additions and 8 deletions
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@ -1013,6 +1013,15 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
 restart_write:
        *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;

+        // remember if it's a file descriptor
+        if (val.type == BINDER_TYPE_FD) {
+            if (!mAllowFds) {
+                // fail before modifying our object index
+                return FDS_NOT_ALLOWED;
+            }
+            mHasFds = mFdsKnown = true;
+        }
+
        // Need to write meta-data?
        if (nullMetaData || val.binder != 0) {
            mObjects[mObjectsSize] = mDataPos;
@ -1020,14 +1029,6 @@ restart_write:
            mObjectsSize++;
        }

-        // remember if it's a file descriptor
-        if (val.type == BINDER_TYPE_FD) {
-            if (!mAllowFds) {
-                return FDS_NOT_ALLOWED;
-            }
-            mHasFds = mFdsKnown = true;
-        }
-
        return finishWrite(sizeof(flat_binder_object));
    }