summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Wachenschwanz <mwachens@google.com>2018-04-17 16:52:40 -0700
committerTim Schumacher <timschumi@gmx.de>2018-07-16 20:31:32 +0200
commit7bb08cbd0cdc8693f5c48197aa66240139d77d88 (patch)
treee35b4722152e636d9fe63a67aa820584d3595e17
parentd53a5c4aa9051f2cca5407280fe53a09d67dfaad (diff)
downloadframeworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.tar.gz
frameworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.tar.bz2
frameworks_native-7bb08cbd0cdc8693f5c48197aa66240139d77d88.zip
Increment when attempting to read protected Parcel Data
Make sure to increment the parcel data position even when trying to improperly read from protected data Bug: 29833520 Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986 Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986 (cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
-rw-r--r--libs/binder/Parcel.cpp20
1 files changed, 17 insertions, 3 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index d121f78b7..280cd4577 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1199,7 +1199,12 @@ status_t Parcel::read(void* outData, size_t len) const
&& len <= pad_size(len)) {
if (mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + pad_size(len));
- if(err != NO_ERROR) return err;
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += pad_size(len);
+ ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
+ return err;
+ }
}
memcpy(outData, mData+mDataPos, len);
mDataPos += pad_size(len);
@@ -1221,7 +1226,12 @@ const void* Parcel::readInplace(size_t len) const
&& len <= pad_size(len)) {
if (mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + pad_size(len));
- if(err != NO_ERROR) return NULL;
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += pad_size(len);
+ ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
+ return NULL;
+ }
}
const void* data = mData+mDataPos;
@@ -1239,7 +1249,11 @@ status_t Parcel::readAligned(T *pArg) const {
if ((mDataPos+sizeof(T)) <= mDataSize) {
if (mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + sizeof(T));
- if(err != NO_ERROR) return err;
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += sizeof(T);
+ return err;
+ }
}
const void* data = mData+mDataPos;