commit 7227c8a7b5e95ae47f2c2c19c22e3004848f8129
author Steven Moreland <smoreland@google.com> Wed Jun 02 00:24:32 2021 +0000
committer Steven Moreland <smoreland@google.com> Wed Jun 02 17:22:46 2021 +0000
tree 290e0a6246ab03f41ac70bb5468e7a2e041d9446
parent e81fe8297f30d8e73bb1d19f43cdd1a54e971ceb

libbinder: onBinder* respect termination

Previously, these would leak binder objects if transactions occurred on
already terminated RpcState objects.

Fixes: 189345133
Test: binder_parcel_fuzzer (w/ leak repro), binderRpcTest
Change-Id: I68f86bf0656dd316691634d4fc411e6cac361449

libs/binder/Parcel.cpp

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 9795348..d19b4d8 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -283,9 +283,10 @@
 
         if (isNull & 1) {
             auto addr = RpcAddress::zero();
-            status_t status = addr.readFromParcel(*this);
-            if (status != OK) return status;
-            binder = mSession->state()->onBinderEntering(mSession, addr);
+            if (status_t status = addr.readFromParcel(*this); status != OK) return status;
+            if (status_t status = mSession->state()->onBinderEntering(mSession, addr, &binder);
+                status != OK)
+                return status;
         }
 
         return finishUnflattenBinder(binder, out);