OSDN Git Service

(root) / android-x86 / frameworks-native.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c6f30bd)
Don't corrupt parcel when writeFileDescriptor() fails
authorChristopher Tate <ctate@google.com>
Thu, 4 Jun 2015 01:44:15 +0000 (18:44 -0700)
committerChristopher Tate <ctate@google.com>
Mon, 8 Jun 2015 20:13:19 +0000 (13:13 -0700)
We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after.  Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.

Bug 21428802

Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1

libs/binder/Parcel.cpp patch | blob | history

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index bae4eb5..2ebf617 100644 (file)
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1013,21 +1013,22 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
 restart_write:
         *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
 
-        // Need to write meta-data?
-        if (nullMetaData || val.binder != 0) {
-            mObjects[mObjectsSize] = mDataPos;
-            acquire_object(ProcessState::self(), val, this);
-            mObjectsSize++;
-        }
-
         // remember if it's a file descriptor
         if (val.type == BINDER_TYPE_FD) {
             if (!mAllowFds) {
+                // fail before modifying our object index
                 return FDS_NOT_ALLOWED;
             }
             mHasFds = mFdsKnown = true;
         }
 
+        // Need to write meta-data?
+        if (nullMetaData || val.binder != 0) {
+            mObjects[mObjectsSize] = mDataPos;
+            acquire_object(ProcessState::self(), val, this);
+            mObjectsSize++;
+        }
+
         return finishWrite(sizeof(flat_binder_object));
     }
 
frameworks/native
About OSDN
Find Software
Develop Software
Help