Binder: Make sure binder objects do not overlap
Fixes crashing part of bug 11355082. The driver still leaks references. Change-Id: Ibc6a63b151c1fc1f7666237f25255ba781e02071
This commit is contained in:
parent
14e8b01a76
commit
f50b9eaaee
@ -35,6 +35,7 @@
|
|||||||
|
|
||||||
#include <private/binder/binder_module.h>
|
#include <private/binder/binder_module.h>
|
||||||
|
|
||||||
|
#include <inttypes.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const
|
|||||||
void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
|
void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
|
||||||
const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
|
const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
|
||||||
{
|
{
|
||||||
|
binder_size_t minOffset = 0;
|
||||||
freeDataNoInit();
|
freeDataNoInit();
|
||||||
mError = NO_ERROR;
|
mError = NO_ERROR;
|
||||||
mData = const_cast<uint8_t*>(data);
|
mData = const_cast<uint8_t*>(data);
|
||||||
@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
|
|||||||
mNextObjectHint = 0;
|
mNextObjectHint = 0;
|
||||||
mOwner = relFunc;
|
mOwner = relFunc;
|
||||||
mOwnerCookie = relCookie;
|
mOwnerCookie = relCookie;
|
||||||
|
for (size_t i = 0; i < mObjectsSize; i++) {
|
||||||
|
binder_size_t offset = mObjects[i];
|
||||||
|
if (offset < minOffset) {
|
||||||
|
ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n",
|
||||||
|
__func__, (uint64_t)offset, (uint64_t)minOffset);
|
||||||
|
mObjectsSize = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
minOffset = offset + sizeof(flat_binder_object);
|
||||||
|
}
|
||||||
scanForFds();
|
scanForFds();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user