Deserialize a native_handle safely.
Actually verify that the native_handle size that we receive
matches with the number of integers and file descriptors
enclosed within.
Bug: 120084106
Test: builds, boots
Change-Id: Ibc52170fcfc59d4f0354b5df4b9745b58ab244fe
(cherry picked from commit 5ad4ab1189dbf3fbee6c8c75b30f37fd9db40ed9)
diff --git a/Parcel.cpp b/Parcel.cpp
index 59a4686..938a8c3 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1708,6 +1708,24 @@
return status;
}
+ int numFds = (*handle)->numFds;
+ int numInts = (*handle)->numInts;
+
+ if (numFds < 0 || numFds > NATIVE_HANDLE_MAX_FDS) {
+ ALOGE("Received native_handle with invalid number of fds.");
+ return BAD_VALUE;
+ }
+
+ if (numInts < 0 || numInts > NATIVE_HANDLE_MAX_INTS) {
+ ALOGE("Received native_handle with invalid number of ints.");
+ return BAD_VALUE;
+ }
+
+ if (nativeHandleSize != (sizeof(native_handle_t) + ((numFds + numInts) * sizeof(int)))) {
+ ALOGE("Size of native_handle doesn't match.");
+ return BAD_VALUE;
+ }
+
const binder_fd_array_object* fd_array_obj = readObject<binder_fd_array_object>();
if (fd_array_obj == nullptr || fd_array_obj->hdr.type != BINDER_TYPE_FDA) {
@@ -1715,7 +1733,7 @@
return BAD_VALUE;
}
- if (static_cast<int>(fd_array_obj->num_fds) != (*handle)->numFds) {
+ if (static_cast<int>(fd_array_obj->num_fds) != numFds) {
ALOGE("Number of native handles does not match.");
return BAD_VALUE;
}
