libbinder: RPC reject excess threads Existing code allows arbitrarily many threads to be attached to a session, even though the server specifies a maximum. Bug: 189955605 Test: binderRpcTest (it's not possible to exploit this with existing APIs) Change-Id: I674f1cef759ae1c4fa7d0c27bbd8f8714f7c16ed

commit: 132d5bfb58efcb1d1d8e3b4b6a0967603e43ad29 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Aug 03 16:13:24 2021 -0700
committer: Steven Moreland <smoreland@google.com> Tue Aug 03 16:13:24 2021 -0700
tree: 562ad509bee4d6db930a08c24f9ec8502083cdfd
parent: a588da3ea77900adff9992ff4a231b965e931fdb [diff] [blame]
diff --git a/libs/binder/RpcSession.cpp b/libs/binder/RpcSession.cpp
index 254b99c..66f31b8 100644
--- a/libs/binder/RpcSession.cpp
+++ b/libs/binder/RpcSession.cpp

@@ -629,6 +629,12 @@
 sp<RpcSession::RpcConnection> RpcSession::assignIncomingConnectionToThisThread(unique_fd fd) {
     std::lock_guard<std::mutex> _l(mMutex);
 
+    if (mIncomingConnections.size() >= mMaxThreads) {
+        ALOGE("Cannot add thread to session with %zu threads (max is set to %zu)",
+              mIncomingConnections.size(), mMaxThreads);
+        return nullptr;
+    }
+
     // Don't accept any more connections, some have shutdown. Usually this
     // happens when new connections are still being established as part of a
     // very short-lived session which shuts down after it already started
commit	132d5bfb58efcb1d1d8e3b4b6a0967603e43ad29	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Aug 03 16:13:24 2021 -0700
committer	Steven Moreland <smoreland@google.com>	Tue Aug 03 16:13:24 2021 -0700
tree	562ad509bee4d6db930a08c24f9ec8502083cdfd
parent	a588da3ea77900adff9992ff4a231b965e931fdb [diff] [blame]