Increment when attempting to read protected Parcel Data

Make sure to increment the parcel data position even when trying to improperly read from protected data Bug: 29833520 Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986 Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
author: Michael Wachenschwanz <mwachens@google.com> 2018-04-17 16:52:40 -0700
committer: Atanas Kirilov <akirilov@google.com> 2018-04-18 20:08:21 +0000
commit: 6a825e8ad1a3928dd872bb7c3fbcd94784d77267 (patch)
tree: 9807758fc3b527fcbac58eb9df67009d18e45943
parent: f784183c17a4985b9703ac22d063ad4ef8b9090f (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index ef14475ae2..9f68e7aa8c 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1125,7 +1125,12 @@ status_t Parcel::read(void* outData, size_t len) const
             && len <= pad_size(len)) {
         if (mObjectsSize > 0) {
             status_t err = validateReadData(mDataPos + pad_size(len));
-            if(err != NO_ERROR) return err;
+            if(err != NO_ERROR) {
+                // Still increment the data position by the expected length
+                mDataPos += pad_size(len);
+                ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
+                return err;
+            }
         }
         memcpy(outData, mData+mDataPos, len);
         mDataPos += pad_size(len);
@@ -1147,7 +1152,12 @@ const void* Parcel::readInplace(size_t len) const
             && len <= pad_size(len)) {
         if (mObjectsSize > 0) {
             status_t err = validateReadData(mDataPos + pad_size(len));
-            if(err != NO_ERROR) return NULL;
+            if(err != NO_ERROR) {
+                // Still increment the data position by the expected length
+                mDataPos += pad_size(len);
+                ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
+                return NULL;
+            }
         }
 
         const void* data = mData+mDataPos;
@@ -1165,7 +1175,11 @@ status_t Parcel::readAligned(T *pArg) const {
     if ((mDataPos+sizeof(T)) <= mDataSize) {
         if (mObjectsSize > 0) {
             status_t err = validateReadData(mDataPos + sizeof(T));
-            if(err != NO_ERROR) return err;
+            if(err != NO_ERROR) {
+                // Still increment the data position by the expected length
+                mDataPos += sizeof(T);
+                return err;
+            }
         }
 
         const void* data = mData+mDataPos;
author	Michael Wachenschwanz <mwachens@google.com>	2018-04-17 16:52:40 -0700
committer	Atanas Kirilov <akirilov@google.com>	2018-04-18 20:08:21 +0000
commit	6a825e8ad1a3928dd872bb7c3fbcd94784d77267 (patch)
tree	9807758fc3b527fcbac58eb9df67009d18e45943
parent	f784183c17a4985b9703ac22d063ad4ef8b9090f (diff)