Don't corrupt parcel when writeFileDescriptor() fails
We now check for fd-legality before committing binder objects to the flattened data buffer rather than after. Previously we would wind up corrupting the parcel and incurring driver-level errors, as well as potentially leaking FDs. Bug 21428802 Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
This commit is contained in:
Christopher Tate
parent
c6f30bdee1
commit
98e67d352b
@ -1013,6 +1013,15 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
|
|||||||
restart_write:
|
restart_write:
|
||||||
*reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
|
*reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
|
||||||
|
|
||||||
|
// remember if it's a file descriptor
|
||||||
|
if (val.type == BINDER_TYPE_FD) {
|
||||||
|
if (!mAllowFds) {
|
||||||
|
// fail before modifying our object index
|
||||||
|
return FDS_NOT_ALLOWED;
|
||||||
|
}
|
||||||
|
mHasFds = mFdsKnown = true;
|
||||||
|
}
|
||||||
|
|
||||||
// Need to write meta-data?
|
// Need to write meta-data?
|
||||||
if (nullMetaData || val.binder != 0) {
|
if (nullMetaData || val.binder != 0) {
|
||||||
mObjects[mObjectsSize] = mDataPos;
|
mObjects[mObjectsSize] = mDataPos;
|
||||||
@ -1020,14 +1029,6 @@ restart_write:
|
|||||||
mObjectsSize++;
|
mObjectsSize++;
|
||||||
}
|
}
|
||||||
|
|
||||||
// remember if it's a file descriptor
|
|
||||||
if (val.type == BINDER_TYPE_FD) {
|
|
||||||
if (!mAllowFds) {
|
|
||||||
return FDS_NOT_ALLOWED;
|
|
||||||
}
|
|
||||||
mHasFds = mFdsKnown = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
return finishWrite(sizeof(flat_binder_object));
|
return finishWrite(sizeof(flat_binder_object));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user