commit 98e67d352b8805a868ca0e7c2be3ea830fb7c338
author Christopher Tate <ctate@google.com> Wed Jun 03 18:44:15 2015 -0700
committer Christopher Tate <ctate@google.com> Mon Jun 08 13:13:19 2015 -0700
tree 55f0942778666611027851e7d4e302fa86acc211
parent c6f30bdee1f634eb90d68cb76efe935b6535a1e8

Don't corrupt parcel when writeFileDescriptor() fails

We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after.  Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.

Bug 21428802

Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1

libs/binder/Parcel.cpp

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index bae4eb5..2ebf617 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1013,6 +1013,15 @@
 restart_write:
         *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
 
+        // remember if it's a file descriptor
+        if (val.type == BINDER_TYPE_FD) {
+            if (!mAllowFds) {
+                // fail before modifying our object index
+                return FDS_NOT_ALLOWED;
+            }
+            mHasFds = mFdsKnown = true;
+        }
+
         // Need to write meta-data?
         if (nullMetaData || val.binder != 0) {
             mObjects[mObjectsSize] = mDataPos;
@@ -1020,14 +1029,6 @@
             mObjectsSize++;
         }
 
-        // remember if it's a file descriptor
-        if (val.type == BINDER_TYPE_FD) {
-            if (!mAllowFds) {
-                return FDS_NOT_ALLOWED;
-            }
-            mHasFds = mFdsKnown = true;
-        }
-
         return finishWrite(sizeof(flat_binder_object));
     }