From 98e67d352b8805a868ca0e7c2be3ea830fb7c338 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Wed, 3 Jun 2015 18:44:15 -0700
Subject: [PATCH] Don't corrupt parcel when writeFileDescriptor() fails

We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after.  Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.

Bug 21428802

Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
---
 libs/binder/Parcel.cpp | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index bae4eb54f..2ebf617cf 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1013,6 +1013,15 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
 restart_write:
         *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
 
+        // remember if it's a file descriptor
+        if (val.type == BINDER_TYPE_FD) {
+            if (!mAllowFds) {
+                // fail before modifying our object index
+                return FDS_NOT_ALLOWED;
+            }
+            mHasFds = mFdsKnown = true;
+        }
+
         // Need to write meta-data?
         if (nullMetaData || val.binder != 0) {
             mObjects[mObjectsSize] = mDataPos;
@@ -1020,14 +1029,6 @@ restart_write:
             mObjectsSize++;
         }
 
-        // remember if it's a file descriptor
-        if (val.type == BINDER_TYPE_FD) {
-            if (!mAllowFds) {
-                return FDS_NOT_ALLOWED;
-            }
-            mHasFds = mFdsKnown = true;
-        }
-
         return finishWrite(sizeof(flat_binder_object));
     }