diff options
| author | 2022-06-07 17:26:17 +0000 | |
|---|---|---|
| committer | 2022-06-07 19:14:39 +0000 | |
| commit | 6653bde0b61f3707e4df283ca9ac537696b819c0 (patch) | |
| tree | 10da9c8ef2ad1a6e3a93076428d892afe391799f | |
| parent | 97c1356a08376bd1664a0ce5be5591fe9c91c7d6 (diff) | |
libbinder: Status - fix read at end of Parcel
Due to OBO (actually off by 4), a Status at the end of the Parcel
with exception information would be reduced to EX_TRANSACTION_FAILED
in native code.
Bug: 235006086
Bug: 132650049
Test: connectivity_native_test, binder_parcel_fuzzer (for a few minutes), aidl_integration_test
Change-Id: I5660958006d7670ad6fc3aabde725cd1d8fe188a
| -rw-r--r-- | libs/binder/Status.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libs/binder/Status.cpp b/libs/binder/Status.cpp index 83b97d04c6..dba65878fb 100644 --- a/libs/binder/Status.cpp +++ b/libs/binder/Status.cpp @@ -139,6 +139,9 @@ status_t Status::readFromParcel(const Parcel& parcel) { mMessage = String8(message.value_or(String16())); // Skip over the remote stack trace data + const size_t remote_start = parcel.dataPosition(); + // Get available size before reading more + const size_t remote_avail = parcel.dataAvail(); int32_t remote_stack_trace_header_size; status = parcel.readInt32(&remote_stack_trace_header_size); if (status != OK) { @@ -146,13 +149,16 @@ status_t Status::readFromParcel(const Parcel& parcel) { return status; } if (remote_stack_trace_header_size < 0 || - static_cast<size_t>(remote_stack_trace_header_size) > parcel.dataAvail()) { + static_cast<size_t>(remote_stack_trace_header_size) > remote_avail) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } - parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); + + if (remote_stack_trace_header_size != 0) { + parcel.setDataPosition(remote_start + remote_stack_trace_header_size); + } if (mException == EX_SERVICE_SPECIFIC) { status = parcel.readInt32(&mErrorCode); |