Binder: Make sure binder objects do not overlap

Fixes crashing part of bug 11355082.
The driver still leaks references.

Change-Id: Ibc6a63b151c1fc1f7666237f25255ba781e02071
This commit is contained in:
Arve Hjønnevåg 2014-02-13 19:22:08 -08:00 committed by Arve Hjønnevåg
parent 14e8b01a76
commit f50b9eaaee

View File

@ -35,6 +35,7 @@
#include <private/binder/binder_module.h> #include <private/binder/binder_module.h>
#include <inttypes.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdint.h> #include <stdint.h>
@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const
void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie) const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
{ {
binder_size_t minOffset = 0;
freeDataNoInit(); freeDataNoInit();
mError = NO_ERROR; mError = NO_ERROR;
mData = const_cast<uint8_t*>(data); mData = const_cast<uint8_t*>(data);
@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
mNextObjectHint = 0; mNextObjectHint = 0;
mOwner = relFunc; mOwner = relFunc;
mOwnerCookie = relCookie; mOwnerCookie = relCookie;
for (size_t i = 0; i < mObjectsSize; i++) {
binder_size_t offset = mObjects[i];
if (offset < minOffset) {
ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n",
__func__, (uint64_t)offset, (uint64_t)minOffset);
mObjectsSize = 0;
break;
}
minOffset = offset + sizeof(flat_binder_object);
}
scanForFds(); scanForFds();
} }