diff options
author | Michael Wachenschwanz <mwachens@google.com> | 2018-04-17 16:52:40 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-07-16 20:31:32 +0200 |
commit | 7bb08cbd0cdc8693f5c48197aa66240139d77d88 (patch) | |
tree | e35b4722152e636d9fe63a67aa820584d3595e17 | |
parent | d53a5c4aa9051f2cca5407280fe53a09d67dfaad (diff) | |
download | frameworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.tar.gz frameworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.tar.bz2 frameworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.zip |
Increment when attempting to read protected Parcel Data
Make sure to increment the parcel data position even when trying to
improperly read from protected data
Bug: 29833520
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements
Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986
Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
(cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
-rw-r--r-- | libs/binder/Parcel.cpp | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index d121f78b7..280cd4577 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -1199,7 +1199,12 @@ status_t Parcel::read(void* outData, size_t len) const && len <= pad_size(len)) { if (mObjectsSize > 0) { status_t err = validateReadData(mDataPos + pad_size(len)); - if(err != NO_ERROR) return err; + if(err != NO_ERROR) { + // Still increment the data position by the expected length + mDataPos += pad_size(len); + ALOGV("read Setting data pos of %p to %zu", this, mDataPos); + return err; + } } memcpy(outData, mData+mDataPos, len); mDataPos += pad_size(len); @@ -1221,7 +1226,12 @@ const void* Parcel::readInplace(size_t len) const && len <= pad_size(len)) { if (mObjectsSize > 0) { status_t err = validateReadData(mDataPos + pad_size(len)); - if(err != NO_ERROR) return NULL; + if(err != NO_ERROR) { + // Still increment the data position by the expected length + mDataPos += pad_size(len); + ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos); + return NULL; + } } const void* data = mData+mDataPos; @@ -1239,7 +1249,11 @@ status_t Parcel::readAligned(T *pArg) const { if ((mDataPos+sizeof(T)) <= mDataSize) { if (mObjectsSize > 0) { status_t err = validateReadData(mDataPos + sizeof(T)); - if(err != NO_ERROR) return err; + if(err != NO_ERROR) { + // Still increment the data position by the expected length + mDataPos += sizeof(T); + return err; + } } const void* data = mData+mDataPos; |