Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / ffe9ac2135a437a799fdf5f85176f9e4be3464c9^! / . / libs / binder / RpcTransportRaw.cpp
commitffe9ac2135a437a799fdf5f85176f9e4be3464c9[log] [tgz]
authorFrederick Mayle <fmayle@google.com>Thu Jun 30 02:07:36 2022 +0000
committerFrederick Mayle <fmayle@google.com>Thu Jun 30 18:35:50 2022 +0000
tree181a2bb3431ebe2ea74cbdde3ae929441845af87
parent7698ff2c60c5d4df6b5a777ab1a22e5cac2caf67 [diff] [blame]
libbinder: Stricter protocol and code for receiving FDs

This is a slight change the to wire protocol. Now out-of-band FDs must
be sent along with the command header bytes.

The code changes exploit that by only using the more complex `recvmsg`
call when reading the command header. Additionally, we explicitly pass
around the list of FDs so that there is no risk of accumulating them.

The same (somewhat ugly) vector type is used everywhere now so that
there is only one allocation to capture the FDs and pass them to the
`Parcel` object.

Test: binderRpcTest
Bug: 185909244
Change-Id: I1f55995ca82338ab9716fb2246c954ac8b16cfe5

diff --git a/libs/binder/RpcTransportRaw.cpp b/libs/binder/RpcTransportRaw.cpp
index d9059e9..7cc58cd 100644
--- a/libs/binder/RpcTransportRaw.cpp
+++ b/libs/binder/RpcTransportRaw.cpp

@@ -204,9 +204,9 @@
     status_t interruptableReadFully(
             FdTrigger* fdTrigger, iovec* iovs, int niovs,
             const std::optional<android::base::function_ref<status_t()>>& altPoll,
-            bool enableAncillaryFds) override {
+            std::vector<std::variant<base::unique_fd, base::borrowed_fd>>* ancillaryFds) override {
         auto recv = [&](iovec* iovs, int niovs) -> ssize_t {
-            if (enableAncillaryFds) {
+            if (ancillaryFds != nullptr) {
                 int fdBuffer[kMaxFdsPerMsg];
                 alignas(struct cmsghdr) char msgControlBuf[CMSG_SPACE(sizeof(fdBuffer))];
 
@@ -228,10 +228,12 @@
                         // NOTE: It is tempting to reinterpret_cast, but cmsg(3) explicitly asks
                         // application devs to memcpy the data to ensure memory alignment.
                         size_t dataLen = cmsg->cmsg_len - CMSG_LEN(0);
+                        LOG_ALWAYS_FATAL_IF(dataLen > sizeof(fdBuffer)); // sanity check
                         memcpy(fdBuffer, CMSG_DATA(cmsg), dataLen);
                         size_t fdCount = dataLen / sizeof(int);
+                        ancillaryFds->reserve(ancillaryFds->size() + fdCount);
                         for (size_t i = 0; i < fdCount; i++) {
-                            mFdsPendingRead.emplace_back(fdBuffer[i]);
+                            ancillaryFds->emplace_back(base::unique_fd(fdBuffer[i]));
                         }
                         break;
                     }
@@ -256,18 +258,8 @@
         return interruptableReadOrWrite(fdTrigger, iovs, niovs, recv, "recvmsg", POLLIN, altPoll);
     }
 
-    status_t consumePendingAncillaryData(std::vector<base::unique_fd>* fds) override {
-        fds->reserve(fds->size() + mFdsPendingRead.size());
-        for (auto& fd : mFdsPendingRead) {
-            fds->emplace_back(std::move(fd));
-        }
-        mFdsPendingRead.clear();
-        return OK;
-    }
-
 private:
     base::unique_fd mSocket;
-    std::vector<base::unique_fd> mFdsPendingRead;
 };
 
 // RpcTransportCtx with TLS disabled.