1 /*
2 * Copyright (C) 2005 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "Parcel"
18 //#define LOG_NDEBUG 0
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <inttypes.h>
23 #include <pthread.h>
24 #include <stdint.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <sys/mman.h>
28 #include <sys/stat.h>
29 #include <sys/types.h>
30 #include <sys/resource.h>
31 #include <unistd.h>
32
33 #include <binder/Binder.h>
34 #include <binder/BpBinder.h>
35 #include <binder/IPCThreadState.h>
36 #include <binder/Parcel.h>
37 #include <binder/ProcessState.h>
38 #include <binder/Status.h>
39 #include <binder/TextOutput.h>
40
41 #include <cutils/ashmem.h>
42 #include <utils/Debug.h>
43 #include <utils/Flattenable.h>
44 #include <utils/Log.h>
45 #include <utils/misc.h>
46 #include <utils/String8.h>
47 #include <utils/String16.h>
48
49 #include <private/binder/binder_module.h>
50 #include <private/binder/Static.h>
51
52 #ifndef INT32_MAX
53 #define INT32_MAX ((int32_t)(2147483647))
54 #endif
55
56 #define LOG_REFS(...)
57 //#define LOG_REFS(...) ALOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)
58 #define LOG_ALLOC(...)
59 //#define LOG_ALLOC(...) ALOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)
60
61 // ---------------------------------------------------------------------------
62
63 // This macro should never be used at runtime, as a too large value
64 // of s could cause an integer overflow. Instead, you should always
65 // use the wrapper function pad_size()
66 #define PAD_SIZE_UNSAFE(s) (((s)+3)&~3)
67
pad_size(size_t s)68 static size_t pad_size(size_t s) {
69 if (s > (SIZE_T_MAX - 3)) {
70 abort();
71 }
72 return PAD_SIZE_UNSAFE(s);
73 }
74
75 // Note: must be kept in sync with android/os/StrictMode.java's PENALTY_GATHER
76 #define STRICT_MODE_PENALTY_GATHER (0x40 << 16)
77
78 // XXX This can be made public if we want to provide
79 // support for typed data.
80 struct small_flat_data
81 {
82 uint32_t type;
83 uint32_t data;
84 };
85
86 namespace android {
87
88 static pthread_mutex_t gParcelGlobalAllocSizeLock = PTHREAD_MUTEX_INITIALIZER;
89 static size_t gParcelGlobalAllocSize = 0;
90 static size_t gParcelGlobalAllocCount = 0;
91
92 static size_t gMaxFds = 0;
93
94 // Maximum size of a blob to transfer in-place.
95 static const size_t BLOB_INPLACE_LIMIT = 16 * 1024;
96
97 enum {
98 BLOB_INPLACE = 0,
99 BLOB_ASHMEM_IMMUTABLE = 1,
100 BLOB_ASHMEM_MUTABLE = 2,
101 };
102
ashmem_rdev()103 static dev_t ashmem_rdev()
104 {
105 static dev_t __ashmem_rdev;
106 static pthread_mutex_t __ashmem_rdev_lock = PTHREAD_MUTEX_INITIALIZER;
107
108 pthread_mutex_lock(&__ashmem_rdev_lock);
109
110 dev_t rdev = __ashmem_rdev;
111 if (!rdev) {
112 int fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDONLY));
113 if (fd >= 0) {
114 struct stat st;
115
116 int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
117 close(fd);
118 if ((ret >= 0) && S_ISCHR(st.st_mode)) {
119 rdev = __ashmem_rdev = st.st_rdev;
120 }
121 }
122 }
123
124 pthread_mutex_unlock(&__ashmem_rdev_lock);
125
126 return rdev;
127 }
128
acquire_object(const sp<ProcessState> & proc,const flat_binder_object & obj,const void * who,size_t * outAshmemSize)129 void acquire_object(const sp<ProcessState>& proc,
130 const flat_binder_object& obj, const void* who, size_t* outAshmemSize)
131 {
132 switch (obj.type) {
133 case BINDER_TYPE_BINDER:
134 if (obj.binder) {
135 LOG_REFS("Parcel %p acquiring reference on local %p", who, obj.cookie);
136 reinterpret_cast<IBinder*>(obj.cookie)->incStrong(who);
137 }
138 return;
139 case BINDER_TYPE_WEAK_BINDER:
140 if (obj.binder)
141 reinterpret_cast<RefBase::weakref_type*>(obj.binder)->incWeak(who);
142 return;
143 case BINDER_TYPE_HANDLE: {
144 const sp<IBinder> b = proc->getStrongProxyForHandle(obj.handle);
145 if (b != NULL) {
146 LOG_REFS("Parcel %p acquiring reference on remote %p", who, b.get());
147 b->incStrong(who);
148 }
149 return;
150 }
151 case BINDER_TYPE_WEAK_HANDLE: {
152 const wp<IBinder> b = proc->getWeakProxyForHandle(obj.handle);
153 if (b != NULL) b.get_refs()->incWeak(who);
154 return;
155 }
156 case BINDER_TYPE_FD: {
157 if ((obj.cookie != 0) && (outAshmemSize != NULL)) {
158 struct stat st;
159 int ret = fstat(obj.handle, &st);
160 if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
161 // If we own an ashmem fd, keep track of how much memory it refers to.
162 int size = ashmem_get_size_region(obj.handle);
163 if (size > 0) {
164 *outAshmemSize += size;
165 }
166 }
167 }
168 return;
169 }
170 }
171
172 ALOGD("Invalid object type 0x%08x", obj.type);
173 }
174
acquire_object(const sp<ProcessState> & proc,const flat_binder_object & obj,const void * who)175 void acquire_object(const sp<ProcessState>& proc,
176 const flat_binder_object& obj, const void* who)
177 {
178 acquire_object(proc, obj, who, NULL);
179 }
180
release_object(const sp<ProcessState> & proc,const flat_binder_object & obj,const void * who,size_t * outAshmemSize)181 static void release_object(const sp<ProcessState>& proc,
182 const flat_binder_object& obj, const void* who, size_t* outAshmemSize)
183 {
184 switch (obj.type) {
185 case BINDER_TYPE_BINDER:
186 if (obj.binder) {
187 LOG_REFS("Parcel %p releasing reference on local %p", who, obj.cookie);
188 reinterpret_cast<IBinder*>(obj.cookie)->decStrong(who);
189 }
190 return;
191 case BINDER_TYPE_WEAK_BINDER:
192 if (obj.binder)
193 reinterpret_cast<RefBase::weakref_type*>(obj.binder)->decWeak(who);
194 return;
195 case BINDER_TYPE_HANDLE: {
196 const sp<IBinder> b = proc->getStrongProxyForHandle(obj.handle);
197 if (b != NULL) {
198 LOG_REFS("Parcel %p releasing reference on remote %p", who, b.get());
199 b->decStrong(who);
200 }
201 return;
202 }
203 case BINDER_TYPE_WEAK_HANDLE: {
204 const wp<IBinder> b = proc->getWeakProxyForHandle(obj.handle);
205 if (b != NULL) b.get_refs()->decWeak(who);
206 return;
207 }
208 case BINDER_TYPE_FD: {
209 if (obj.cookie != 0) { // owned
210 if (outAshmemSize != NULL) {
211 struct stat st;
212 int ret = fstat(obj.handle, &st);
213 if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
214 int size = ashmem_get_size_region(obj.handle);
215 if (size > 0) {
216 *outAshmemSize -= size;
217 }
218 }
219 }
220
221 close(obj.handle);
222 }
223 return;
224 }
225 }
226
227 ALOGE("Invalid object type 0x%08x", obj.type);
228 }
229
release_object(const sp<ProcessState> & proc,const flat_binder_object & obj,const void * who)230 void release_object(const sp<ProcessState>& proc,
231 const flat_binder_object& obj, const void* who)
232 {
233 release_object(proc, obj, who, NULL);
234 }
235
finish_flatten_binder(const sp<IBinder> &,const flat_binder_object & flat,Parcel * out)236 inline static status_t finish_flatten_binder(
237 const sp<IBinder>& /*binder*/, const flat_binder_object& flat, Parcel* out)
238 {
239 return out->writeObject(flat, false);
240 }
241
flatten_binder(const sp<ProcessState> &,const sp<IBinder> & binder,Parcel * out)242 status_t flatten_binder(const sp<ProcessState>& /*proc*/,
243 const sp<IBinder>& binder, Parcel* out)
244 {
245 flat_binder_object obj;
246
247 obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
248 if (binder != NULL) {
249 IBinder *local = binder->localBinder();
250 if (!local) {
251 BpBinder *proxy = binder->remoteBinder();
252 if (proxy == NULL) {
253 ALOGE("null proxy");
254 }
255 const int32_t handle = proxy ? proxy->handle() : 0;
256 obj.type = BINDER_TYPE_HANDLE;
257 obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
258 obj.handle = handle;
259 obj.cookie = 0;
260 } else {
261 obj.type = BINDER_TYPE_BINDER;
262 obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());
263 obj.cookie = reinterpret_cast<uintptr_t>(local);
264 }
265 } else {
266 obj.type = BINDER_TYPE_BINDER;
267 obj.binder = 0;
268 obj.cookie = 0;
269 }
270
271 return finish_flatten_binder(binder, obj, out);
272 }
273
flatten_binder(const sp<ProcessState> &,const wp<IBinder> & binder,Parcel * out)274 status_t flatten_binder(const sp<ProcessState>& /*proc*/,
275 const wp<IBinder>& binder, Parcel* out)
276 {
277 flat_binder_object obj;
278
279 obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
280 if (binder != NULL) {
281 sp<IBinder> real = binder.promote();
282 if (real != NULL) {
283 IBinder *local = real->localBinder();
284 if (!local) {
285 BpBinder *proxy = real->remoteBinder();
286 if (proxy == NULL) {
287 ALOGE("null proxy");
288 }
289 const int32_t handle = proxy ? proxy->handle() : 0;
290 obj.type = BINDER_TYPE_WEAK_HANDLE;
291 obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
292 obj.handle = handle;
293 obj.cookie = 0;
294 } else {
295 obj.type = BINDER_TYPE_WEAK_BINDER;
296 obj.binder = reinterpret_cast<uintptr_t>(binder.get_refs());
297 obj.cookie = reinterpret_cast<uintptr_t>(binder.unsafe_get());
298 }
299 return finish_flatten_binder(real, obj, out);
300 }
301
302 // XXX How to deal? In order to flatten the given binder,
303 // we need to probe it for information, which requires a primary
304 // reference... but we don't have one.
305 //
306 // The OpenBinder implementation uses a dynamic_cast<> here,
307 // but we can't do that with the different reference counting
308 // implementation we are using.
309 ALOGE("Unable to unflatten Binder weak reference!");
310 obj.type = BINDER_TYPE_BINDER;
311 obj.binder = 0;
312 obj.cookie = 0;
313 return finish_flatten_binder(NULL, obj, out);
314
315 } else {
316 obj.type = BINDER_TYPE_BINDER;
317 obj.binder = 0;
318 obj.cookie = 0;
319 return finish_flatten_binder(NULL, obj, out);
320 }
321 }
322
finish_unflatten_binder(BpBinder *,const flat_binder_object &,const Parcel &)323 inline static status_t finish_unflatten_binder(
324 BpBinder* /*proxy*/, const flat_binder_object& /*flat*/,
325 const Parcel& /*in*/)
326 {
327 return NO_ERROR;
328 }
329
unflatten_binder(const sp<ProcessState> & proc,const Parcel & in,sp<IBinder> * out)330 status_t unflatten_binder(const sp<ProcessState>& proc,
331 const Parcel& in, sp<IBinder>* out)
332 {
333 const flat_binder_object* flat = in.readObject(false);
334
335 if (flat) {
336 switch (flat->type) {
337 case BINDER_TYPE_BINDER:
338 *out = reinterpret_cast<IBinder*>(flat->cookie);
339 return finish_unflatten_binder(NULL, *flat, in);
340 case BINDER_TYPE_HANDLE:
341 *out = proc->getStrongProxyForHandle(flat->handle);
342 return finish_unflatten_binder(
343 static_cast<BpBinder*>(out->get()), *flat, in);
344 }
345 }
346 return BAD_TYPE;
347 }
348
unflatten_binder(const sp<ProcessState> & proc,const Parcel & in,wp<IBinder> * out)349 status_t unflatten_binder(const sp<ProcessState>& proc,
350 const Parcel& in, wp<IBinder>* out)
351 {
352 const flat_binder_object* flat = in.readObject(false);
353
354 if (flat) {
355 switch (flat->type) {
356 case BINDER_TYPE_BINDER:
357 *out = reinterpret_cast<IBinder*>(flat->cookie);
358 return finish_unflatten_binder(NULL, *flat, in);
359 case BINDER_TYPE_WEAK_BINDER:
360 if (flat->binder != 0) {
361 out->set_object_and_refs(
362 reinterpret_cast<IBinder*>(flat->cookie),
363 reinterpret_cast<RefBase::weakref_type*>(flat->binder));
364 } else {
365 *out = NULL;
366 }
367 return finish_unflatten_binder(NULL, *flat, in);
368 case BINDER_TYPE_HANDLE:
369 case BINDER_TYPE_WEAK_HANDLE:
370 *out = proc->getWeakProxyForHandle(flat->handle);
371 return finish_unflatten_binder(
372 static_cast<BpBinder*>(out->unsafe_get()), *flat, in);
373 }
374 }
375 return BAD_TYPE;
376 }
377
378 // ---------------------------------------------------------------------------
379
Parcel()380 Parcel::Parcel()
381 {
382 LOG_ALLOC("Parcel %p: constructing", this);
383 initState();
384 }
385
~Parcel()386 Parcel::~Parcel()
387 {
388 freeDataNoInit();
389 LOG_ALLOC("Parcel %p: destroyed", this);
390 }
391
getGlobalAllocSize()392 size_t Parcel::getGlobalAllocSize() {
393 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
394 size_t size = gParcelGlobalAllocSize;
395 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
396 return size;
397 }
398
getGlobalAllocCount()399 size_t Parcel::getGlobalAllocCount() {
400 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
401 size_t count = gParcelGlobalAllocCount;
402 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
403 return count;
404 }
405
data() const406 const uint8_t* Parcel::data() const
407 {
408 return mData;
409 }
410
dataSize() const411 size_t Parcel::dataSize() const
412 {
413 return (mDataSize > mDataPos ? mDataSize : mDataPos);
414 }
415
dataAvail() const416 size_t Parcel::dataAvail() const
417 {
418 size_t result = dataSize() - dataPosition();
419 if (result > INT32_MAX) {
420 abort();
421 }
422 return result;
423 }
424
dataPosition() const425 size_t Parcel::dataPosition() const
426 {
427 return mDataPos;
428 }
429
dataCapacity() const430 size_t Parcel::dataCapacity() const
431 {
432 return mDataCapacity;
433 }
434
setDataSize(size_t size)435 status_t Parcel::setDataSize(size_t size)
436 {
437 if (size > INT32_MAX) {
438 // don't accept size_t values which may have come from an
439 // inadvertent conversion from a negative int.
440 return BAD_VALUE;
441 }
442
443 status_t err;
444 err = continueWrite(size);
445 if (err == NO_ERROR) {
446 mDataSize = size;
447 ALOGV("setDataSize Setting data size of %p to %zu", this, mDataSize);
448 }
449 return err;
450 }
451
setDataPosition(size_t pos) const452 void Parcel::setDataPosition(size_t pos) const
453 {
454 if (pos > INT32_MAX) {
455 // don't accept size_t values which may have come from an
456 // inadvertent conversion from a negative int.
457 abort();
458 }
459
460 mDataPos = pos;
461 mNextObjectHint = 0;
462 }
463
setDataCapacity(size_t size)464 status_t Parcel::setDataCapacity(size_t size)
465 {
466 if (size > INT32_MAX) {
467 // don't accept size_t values which may have come from an
468 // inadvertent conversion from a negative int.
469 return BAD_VALUE;
470 }
471
472 if (size > mDataCapacity) return continueWrite(size);
473 return NO_ERROR;
474 }
475
setData(const uint8_t * buffer,size_t len)476 status_t Parcel::setData(const uint8_t* buffer, size_t len)
477 {
478 if (len > INT32_MAX) {
479 // don't accept size_t values which may have come from an
480 // inadvertent conversion from a negative int.
481 return BAD_VALUE;
482 }
483
484 status_t err = restartWrite(len);
485 if (err == NO_ERROR) {
486 memcpy(const_cast<uint8_t*>(data()), buffer, len);
487 mDataSize = len;
488 mFdsKnown = false;
489 }
490 return err;
491 }
492
appendFrom(const Parcel * parcel,size_t offset,size_t len)493 status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len)
494 {
495 const sp<ProcessState> proc(ProcessState::self());
496 status_t err;
497 const uint8_t *data = parcel->mData;
498 const binder_size_t *objects = parcel->mObjects;
499 size_t size = parcel->mObjectsSize;
500 int startPos = mDataPos;
501 int firstIndex = -1, lastIndex = -2;
502
503 if (len == 0) {
504 return NO_ERROR;
505 }
506
507 if (len > INT32_MAX) {
508 // don't accept size_t values which may have come from an
509 // inadvertent conversion from a negative int.
510 return BAD_VALUE;
511 }
512
513 // range checks against the source parcel size
514 if ((offset > parcel->mDataSize)
515 || (len > parcel->mDataSize)
516 || (offset + len > parcel->mDataSize)) {
517 return BAD_VALUE;
518 }
519
520 // Count objects in range
521 for (int i = 0; i < (int) size; i++) {
522 size_t off = objects[i];
523 if ((off >= offset) && (off + sizeof(flat_binder_object) <= offset + len)) {
524 if (firstIndex == -1) {
525 firstIndex = i;
526 }
527 lastIndex = i;
528 }
529 }
530 int numObjects = lastIndex - firstIndex + 1;
531
532 if ((mDataSize+len) > mDataCapacity) {
533 // grow data
534 err = growData(len);
535 if (err != NO_ERROR) {
536 return err;
537 }
538 }
539
540 // append data
541 memcpy(mData + mDataPos, data + offset, len);
542 mDataPos += len;
543 mDataSize += len;
544
545 err = NO_ERROR;
546
547 if (numObjects > 0) {
548 // grow objects
549 if (mObjectsCapacity < mObjectsSize + numObjects) {
550 size_t newSize = ((mObjectsSize + numObjects)*3)/2;
551 if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow
552 binder_size_t *objects =
553 (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
554 if (objects == (binder_size_t*)0) {
555 return NO_MEMORY;
556 }
557 mObjects = objects;
558 mObjectsCapacity = newSize;
559 }
560
561 // append and acquire objects
562 int idx = mObjectsSize;
563 for (int i = firstIndex; i <= lastIndex; i++) {
564 size_t off = objects[i] - offset + startPos;
565 mObjects[idx++] = off;
566 mObjectsSize++;
567
568 flat_binder_object* flat
569 = reinterpret_cast<flat_binder_object*>(mData + off);
570 acquire_object(proc, *flat, this, &mOpenAshmemSize);
571
572 if (flat->type == BINDER_TYPE_FD) {
573 // If this is a file descriptor, we need to dup it so the
574 // new Parcel now owns its own fd, and can declare that we
575 // officially know we have fds.
576 flat->handle = dup(flat->handle);
577 flat->cookie = 1;
578 mHasFds = mFdsKnown = true;
579 if (!mAllowFds) {
580 err = FDS_NOT_ALLOWED;
581 }
582 }
583 }
584 }
585
586 return err;
587 }
588
allowFds() const589 bool Parcel::allowFds() const
590 {
591 return mAllowFds;
592 }
593
pushAllowFds(bool allowFds)594 bool Parcel::pushAllowFds(bool allowFds)
595 {
596 const bool origValue = mAllowFds;
597 if (!allowFds) {
598 mAllowFds = false;
599 }
600 return origValue;
601 }
602
restoreAllowFds(bool lastValue)603 void Parcel::restoreAllowFds(bool lastValue)
604 {
605 mAllowFds = lastValue;
606 }
607
hasFileDescriptors() const608 bool Parcel::hasFileDescriptors() const
609 {
610 if (!mFdsKnown) {
611 scanForFds();
612 }
613 return mHasFds;
614 }
615
616 // Write RPC headers. (previously just the interface token)
writeInterfaceToken(const String16 & interface)617 status_t Parcel::writeInterfaceToken(const String16& interface)
618 {
619 writeInt32(IPCThreadState::self()->getStrictModePolicy() |
620 STRICT_MODE_PENALTY_GATHER);
621 // currently the interface identification token is just its name as a string
622 return writeString16(interface);
623 }
624
checkInterface(IBinder * binder) const625 bool Parcel::checkInterface(IBinder* binder) const
626 {
627 return enforceInterface(binder->getInterfaceDescriptor());
628 }
629
enforceInterface(const String16 & interface,IPCThreadState * threadState) const630 bool Parcel::enforceInterface(const String16& interface,
631 IPCThreadState* threadState) const
632 {
633 int32_t strictPolicy = readInt32();
634 if (threadState == NULL) {
635 threadState = IPCThreadState::self();
636 }
637 if ((threadState->getLastTransactionBinderFlags() &
638 IBinder::FLAG_ONEWAY) != 0) {
639 // For one-way calls, the callee is running entirely
640 // disconnected from the caller, so disable StrictMode entirely.
641 // Not only does disk/network usage not impact the caller, but
642 // there's no way to commuicate back any violations anyway.
643 threadState->setStrictModePolicy(0);
644 } else {
645 threadState->setStrictModePolicy(strictPolicy);
646 }
647 const String16 str(readString16());
648 if (str == interface) {
649 return true;
650 } else {
651 ALOGW("**** enforceInterface() expected '%s' but read '%s'",
652 String8(interface).string(), String8(str).string());
653 return false;
654 }
655 }
656
objects() const657 const binder_size_t* Parcel::objects() const
658 {
659 return mObjects;
660 }
661
objectsCount() const662 size_t Parcel::objectsCount() const
663 {
664 return mObjectsSize;
665 }
666
errorCheck() const667 status_t Parcel::errorCheck() const
668 {
669 return mError;
670 }
671
setError(status_t err)672 void Parcel::setError(status_t err)
673 {
674 mError = err;
675 }
676
finishWrite(size_t len)677 status_t Parcel::finishWrite(size_t len)
678 {
679 if (len > INT32_MAX) {
680 // don't accept size_t values which may have come from an
681 // inadvertent conversion from a negative int.
682 return BAD_VALUE;
683 }
684
685 //printf("Finish write of %d\n", len);
686 mDataPos += len;
687 ALOGV("finishWrite Setting data pos of %p to %zu", this, mDataPos);
688 if (mDataPos > mDataSize) {
689 mDataSize = mDataPos;
690 ALOGV("finishWrite Setting data size of %p to %zu", this, mDataSize);
691 }
692 //printf("New pos=%d, size=%d\n", mDataPos, mDataSize);
693 return NO_ERROR;
694 }
695
writeUnpadded(const void * data,size_t len)696 status_t Parcel::writeUnpadded(const void* data, size_t len)
697 {
698 if (len > INT32_MAX) {
699 // don't accept size_t values which may have come from an
700 // inadvertent conversion from a negative int.
701 return BAD_VALUE;
702 }
703
704 size_t end = mDataPos + len;
705 if (end < mDataPos) {
706 // integer overflow
707 return BAD_VALUE;
708 }
709
710 if (end <= mDataCapacity) {
711 restart_write:
712 memcpy(mData+mDataPos, data, len);
713 return finishWrite(len);
714 }
715
716 status_t err = growData(len);
717 if (err == NO_ERROR) goto restart_write;
718 return err;
719 }
720
write(const void * data,size_t len)721 status_t Parcel::write(const void* data, size_t len)
722 {
723 if (len > INT32_MAX) {
724 // don't accept size_t values which may have come from an
725 // inadvertent conversion from a negative int.
726 return BAD_VALUE;
727 }
728
729 void* const d = writeInplace(len);
730 if (d) {
731 memcpy(d, data, len);
732 return NO_ERROR;
733 }
734 return mError;
735 }
736
writeInplace(size_t len)737 void* Parcel::writeInplace(size_t len)
738 {
739 if (len > INT32_MAX) {
740 // don't accept size_t values which may have come from an
741 // inadvertent conversion from a negative int.
742 return NULL;
743 }
744
745 const size_t padded = pad_size(len);
746
747 // sanity check for integer overflow
748 if (mDataPos+padded < mDataPos) {
749 return NULL;
750 }
751
752 if ((mDataPos+padded) <= mDataCapacity) {
753 restart_write:
754 //printf("Writing %ld bytes, padded to %ld\n", len, padded);
755 uint8_t* const data = mData+mDataPos;
756
757 // Need to pad at end?
758 if (padded != len) {
759 #if BYTE_ORDER == BIG_ENDIAN
760 static const uint32_t mask[4] = {
761 0x00000000, 0xffffff00, 0xffff0000, 0xff000000
762 };
763 #endif
764 #if BYTE_ORDER == LITTLE_ENDIAN
765 static const uint32_t mask[4] = {
766 0x00000000, 0x00ffffff, 0x0000ffff, 0x000000ff
767 };
768 #endif
769 //printf("Applying pad mask: %p to %p\n", (void*)mask[padded-len],
770 // *reinterpret_cast<void**>(data+padded-4));
771 *reinterpret_cast<uint32_t*>(data+padded-4) &= mask[padded-len];
772 }
773
774 finishWrite(padded);
775 return data;
776 }
777
778 status_t err = growData(padded);
779 if (err == NO_ERROR) goto restart_write;
780 return NULL;
781 }
782
writeUtf8AsUtf16(const std::string & str)783 status_t Parcel::writeUtf8AsUtf16(const std::string& str) {
784 const uint8_t* strData = (uint8_t*)str.data();
785 const size_t strLen= str.length();
786 const ssize_t utf16Len = utf8_to_utf16_length(strData, strLen);
787 if (utf16Len < 0 || utf16Len> std::numeric_limits<int32_t>::max()) {
788 return BAD_VALUE;
789 }
790
791 status_t err = writeInt32(utf16Len);
792 if (err) {
793 return err;
794 }
795
796 // Allocate enough bytes to hold our converted string and its terminating NULL.
797 void* dst = writeInplace((utf16Len + 1) * sizeof(char16_t));
798 if (!dst) {
799 return NO_MEMORY;
800 }
801
802 utf8_to_utf16(strData, strLen, (char16_t*)dst);
803
804 return NO_ERROR;
805 }
806
writeUtf8AsUtf16(const std::unique_ptr<std::string> & str)807 status_t Parcel::writeUtf8AsUtf16(const std::unique_ptr<std::string>& str) {
808 if (!str) {
809 return writeInt32(-1);
810 }
811 return writeUtf8AsUtf16(*str);
812 }
813
814 namespace {
815
816 template<typename T>
writeByteVectorInternal(Parcel * parcel,const std::vector<T> & val)817 status_t writeByteVectorInternal(Parcel* parcel, const std::vector<T>& val)
818 {
819 status_t status;
820 if (val.size() > std::numeric_limits<int32_t>::max()) {
821 status = BAD_VALUE;
822 return status;
823 }
824
825 status = parcel->writeInt32(val.size());
826 if (status != OK) {
827 return status;
828 }
829
830 void* data = parcel->writeInplace(val.size());
831 if (!data) {
832 status = BAD_VALUE;
833 return status;
834 }
835
836 memcpy(data, val.data(), val.size());
837 return status;
838 }
839
840 template<typename T>
writeByteVectorInternalPtr(Parcel * parcel,const std::unique_ptr<std::vector<T>> & val)841 status_t writeByteVectorInternalPtr(Parcel* parcel,
842 const std::unique_ptr<std::vector<T>>& val)
843 {
844 if (!val) {
845 return parcel->writeInt32(-1);
846 }
847
848 return writeByteVectorInternal(parcel, *val);
849 }
850
851 } // namespace
852
writeByteVector(const std::vector<int8_t> & val)853 status_t Parcel::writeByteVector(const std::vector<int8_t>& val) {
854 return writeByteVectorInternal(this, val);
855 }
856
writeByteVector(const std::unique_ptr<std::vector<int8_t>> & val)857 status_t Parcel::writeByteVector(const std::unique_ptr<std::vector<int8_t>>& val)
858 {
859 return writeByteVectorInternalPtr(this, val);
860 }
861
writeByteVector(const std::vector<uint8_t> & val)862 status_t Parcel::writeByteVector(const std::vector<uint8_t>& val) {
863 return writeByteVectorInternal(this, val);
864 }
865
writeByteVector(const std::unique_ptr<std::vector<uint8_t>> & val)866 status_t Parcel::writeByteVector(const std::unique_ptr<std::vector<uint8_t>>& val)
867 {
868 return writeByteVectorInternalPtr(this, val);
869 }
870
writeInt32Vector(const std::vector<int32_t> & val)871 status_t Parcel::writeInt32Vector(const std::vector<int32_t>& val)
872 {
873 return writeTypedVector(val, &Parcel::writeInt32);
874 }
875
writeInt32Vector(const std::unique_ptr<std::vector<int32_t>> & val)876 status_t Parcel::writeInt32Vector(const std::unique_ptr<std::vector<int32_t>>& val)
877 {
878 return writeNullableTypedVector(val, &Parcel::writeInt32);
879 }
880
writeInt64Vector(const std::vector<int64_t> & val)881 status_t Parcel::writeInt64Vector(const std::vector<int64_t>& val)
882 {
883 return writeTypedVector(val, &Parcel::writeInt64);
884 }
885
writeInt64Vector(const std::unique_ptr<std::vector<int64_t>> & val)886 status_t Parcel::writeInt64Vector(const std::unique_ptr<std::vector<int64_t>>& val)
887 {
888 return writeNullableTypedVector(val, &Parcel::writeInt64);
889 }
890
writeFloatVector(const std::vector<float> & val)891 status_t Parcel::writeFloatVector(const std::vector<float>& val)
892 {
893 return writeTypedVector(val, &Parcel::writeFloat);
894 }
895
writeFloatVector(const std::unique_ptr<std::vector<float>> & val)896 status_t Parcel::writeFloatVector(const std::unique_ptr<std::vector<float>>& val)
897 {
898 return writeNullableTypedVector(val, &Parcel::writeFloat);
899 }
900
writeDoubleVector(const std::vector<double> & val)901 status_t Parcel::writeDoubleVector(const std::vector<double>& val)
902 {
903 return writeTypedVector(val, &Parcel::writeDouble);
904 }
905
writeDoubleVector(const std::unique_ptr<std::vector<double>> & val)906 status_t Parcel::writeDoubleVector(const std::unique_ptr<std::vector<double>>& val)
907 {
908 return writeNullableTypedVector(val, &Parcel::writeDouble);
909 }
910
writeBoolVector(const std::vector<bool> & val)911 status_t Parcel::writeBoolVector(const std::vector<bool>& val)
912 {
913 return writeTypedVector(val, &Parcel::writeBool);
914 }
915
writeBoolVector(const std::unique_ptr<std::vector<bool>> & val)916 status_t Parcel::writeBoolVector(const std::unique_ptr<std::vector<bool>>& val)
917 {
918 return writeNullableTypedVector(val, &Parcel::writeBool);
919 }
920
writeCharVector(const std::vector<char16_t> & val)921 status_t Parcel::writeCharVector(const std::vector<char16_t>& val)
922 {
923 return writeTypedVector(val, &Parcel::writeChar);
924 }
925
writeCharVector(const std::unique_ptr<std::vector<char16_t>> & val)926 status_t Parcel::writeCharVector(const std::unique_ptr<std::vector<char16_t>>& val)
927 {
928 return writeNullableTypedVector(val, &Parcel::writeChar);
929 }
930
writeString16Vector(const std::vector<String16> & val)931 status_t Parcel::writeString16Vector(const std::vector<String16>& val)
932 {
933 return writeTypedVector(val, &Parcel::writeString16);
934 }
935
writeString16Vector(const std::unique_ptr<std::vector<std::unique_ptr<String16>>> & val)936 status_t Parcel::writeString16Vector(
937 const std::unique_ptr<std::vector<std::unique_ptr<String16>>>& val)
938 {
939 return writeNullableTypedVector(val, &Parcel::writeString16);
940 }
941
writeUtf8VectorAsUtf16Vector(const std::unique_ptr<std::vector<std::unique_ptr<std::string>>> & val)942 status_t Parcel::writeUtf8VectorAsUtf16Vector(
943 const std::unique_ptr<std::vector<std::unique_ptr<std::string>>>& val) {
944 return writeNullableTypedVector(val, &Parcel::writeUtf8AsUtf16);
945 }
946
writeUtf8VectorAsUtf16Vector(const std::vector<std::string> & val)947 status_t Parcel::writeUtf8VectorAsUtf16Vector(const std::vector<std::string>& val) {
948 return writeTypedVector(val, &Parcel::writeUtf8AsUtf16);
949 }
950
writeInt32(int32_t val)951 status_t Parcel::writeInt32(int32_t val)
952 {
953 return writeAligned(val);
954 }
955
writeUint32(uint32_t val)956 status_t Parcel::writeUint32(uint32_t val)
957 {
958 return writeAligned(val);
959 }
960
writeInt32Array(size_t len,const int32_t * val)961 status_t Parcel::writeInt32Array(size_t len, const int32_t *val) {
962 if (len > INT32_MAX) {
963 // don't accept size_t values which may have come from an
964 // inadvertent conversion from a negative int.
965 return BAD_VALUE;
966 }
967
968 if (!val) {
969 return writeInt32(-1);
970 }
971 status_t ret = writeInt32(static_cast<uint32_t>(len));
972 if (ret == NO_ERROR) {
973 ret = write(val, len * sizeof(*val));
974 }
975 return ret;
976 }
writeByteArray(size_t len,const uint8_t * val)977 status_t Parcel::writeByteArray(size_t len, const uint8_t *val) {
978 if (len > INT32_MAX) {
979 // don't accept size_t values which may have come from an
980 // inadvertent conversion from a negative int.
981 return BAD_VALUE;
982 }
983
984 if (!val) {
985 return writeInt32(-1);
986 }
987 status_t ret = writeInt32(static_cast<uint32_t>(len));
988 if (ret == NO_ERROR) {
989 ret = write(val, len * sizeof(*val));
990 }
991 return ret;
992 }
993
writeBool(bool val)994 status_t Parcel::writeBool(bool val)
995 {
996 return writeInt32(int32_t(val));
997 }
998
writeChar(char16_t val)999 status_t Parcel::writeChar(char16_t val)
1000 {
1001 return writeInt32(int32_t(val));
1002 }
1003
writeByte(int8_t val)1004 status_t Parcel::writeByte(int8_t val)
1005 {
1006 return writeInt32(int32_t(val));
1007 }
1008
writeInt64(int64_t val)1009 status_t Parcel::writeInt64(int64_t val)
1010 {
1011 return writeAligned(val);
1012 }
1013
writeUint64(uint64_t val)1014 status_t Parcel::writeUint64(uint64_t val)
1015 {
1016 return writeAligned(val);
1017 }
1018
writePointer(uintptr_t val)1019 status_t Parcel::writePointer(uintptr_t val)
1020 {
1021 return writeAligned<binder_uintptr_t>(val);
1022 }
1023
writeFloat(float val)1024 status_t Parcel::writeFloat(float val)
1025 {
1026 return writeAligned(val);
1027 }
1028
1029 #if defined(__mips__) && defined(__mips_hard_float)
1030
writeDouble(double val)1031 status_t Parcel::writeDouble(double val)
1032 {
1033 union {
1034 double d;
1035 unsigned long long ll;
1036 } u;
1037 u.d = val;
1038 return writeAligned(u.ll);
1039 }
1040
1041 #else
1042
writeDouble(double val)1043 status_t Parcel::writeDouble(double val)
1044 {
1045 return writeAligned(val);
1046 }
1047
1048 #endif
1049
writeCString(const char * str)1050 status_t Parcel::writeCString(const char* str)
1051 {
1052 return write(str, strlen(str)+1);
1053 }
1054
writeString8(const String8 & str)1055 status_t Parcel::writeString8(const String8& str)
1056 {
1057 status_t err = writeInt32(str.bytes());
1058 // only write string if its length is more than zero characters,
1059 // as readString8 will only read if the length field is non-zero.
1060 // this is slightly different from how writeString16 works.
1061 if (str.bytes() > 0 && err == NO_ERROR) {
1062 err = write(str.string(), str.bytes()+1);
1063 }
1064 return err;
1065 }
1066
writeString16(const std::unique_ptr<String16> & str)1067 status_t Parcel::writeString16(const std::unique_ptr<String16>& str)
1068 {
1069 if (!str) {
1070 return writeInt32(-1);
1071 }
1072
1073 return writeString16(*str);
1074 }
1075
writeString16(const String16 & str)1076 status_t Parcel::writeString16(const String16& str)
1077 {
1078 return writeString16(str.string(), str.size());
1079 }
1080
writeString16(const char16_t * str,size_t len)1081 status_t Parcel::writeString16(const char16_t* str, size_t len)
1082 {
1083 if (str == NULL) return writeInt32(-1);
1084
1085 status_t err = writeInt32(len);
1086 if (err == NO_ERROR) {
1087 len *= sizeof(char16_t);
1088 uint8_t* data = (uint8_t*)writeInplace(len+sizeof(char16_t));
1089 if (data) {
1090 memcpy(data, str, len);
1091 *reinterpret_cast<char16_t*>(data+len) = 0;
1092 return NO_ERROR;
1093 }
1094 err = mError;
1095 }
1096 return err;
1097 }
1098
writeStrongBinder(const sp<IBinder> & val)1099 status_t Parcel::writeStrongBinder(const sp<IBinder>& val)
1100 {
1101 return flatten_binder(ProcessState::self(), val, this);
1102 }
1103
writeStrongBinderVector(const std::vector<sp<IBinder>> & val)1104 status_t Parcel::writeStrongBinderVector(const std::vector<sp<IBinder>>& val)
1105 {
1106 return writeTypedVector(val, &Parcel::writeStrongBinder);
1107 }
1108
writeStrongBinderVector(const std::unique_ptr<std::vector<sp<IBinder>>> & val)1109 status_t Parcel::writeStrongBinderVector(const std::unique_ptr<std::vector<sp<IBinder>>>& val)
1110 {
1111 return writeNullableTypedVector(val, &Parcel::writeStrongBinder);
1112 }
1113
readStrongBinderVector(std::unique_ptr<std::vector<sp<IBinder>>> * val) const1114 status_t Parcel::readStrongBinderVector(std::unique_ptr<std::vector<sp<IBinder>>>* val) const {
1115 return readNullableTypedVector(val, &Parcel::readStrongBinder);
1116 }
1117
readStrongBinderVector(std::vector<sp<IBinder>> * val) const1118 status_t Parcel::readStrongBinderVector(std::vector<sp<IBinder>>* val) const {
1119 return readTypedVector(val, &Parcel::readStrongBinder);
1120 }
1121
writeWeakBinder(const wp<IBinder> & val)1122 status_t Parcel::writeWeakBinder(const wp<IBinder>& val)
1123 {
1124 return flatten_binder(ProcessState::self(), val, this);
1125 }
1126
writeRawNullableParcelable(const Parcelable * parcelable)1127 status_t Parcel::writeRawNullableParcelable(const Parcelable* parcelable) {
1128 if (!parcelable) {
1129 return writeInt32(0);
1130 }
1131
1132 return writeParcelable(*parcelable);
1133 }
1134
writeParcelable(const Parcelable & parcelable)1135 status_t Parcel::writeParcelable(const Parcelable& parcelable) {
1136 status_t status = writeInt32(1); // parcelable is not null.
1137 if (status != OK) {
1138 return status;
1139 }
1140 return parcelable.writeToParcel(this);
1141 }
1142
writeNativeHandle(const native_handle * handle)1143 status_t Parcel::writeNativeHandle(const native_handle* handle)
1144 {
1145 if (!handle || handle->version != sizeof(native_handle))
1146 return BAD_TYPE;
1147
1148 status_t err;
1149 err = writeInt32(handle->numFds);
1150 if (err != NO_ERROR) return err;
1151
1152 err = writeInt32(handle->numInts);
1153 if (err != NO_ERROR) return err;
1154
1155 for (int i=0 ; err==NO_ERROR && i<handle->numFds ; i++)
1156 err = writeDupFileDescriptor(handle->data[i]);
1157
1158 if (err != NO_ERROR) {
1159 ALOGD("write native handle, write dup fd failed");
1160 return err;
1161 }
1162 err = write(handle->data + handle->numFds, sizeof(int)*handle->numInts);
1163 return err;
1164 }
1165
writeFileDescriptor(int fd,bool takeOwnership)1166 status_t Parcel::writeFileDescriptor(int fd, bool takeOwnership)
1167 {
1168 flat_binder_object obj;
1169 obj.type = BINDER_TYPE_FD;
1170 obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
1171 obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
1172 obj.handle = fd;
1173 obj.cookie = takeOwnership ? 1 : 0;
1174 return writeObject(obj, true);
1175 }
1176
writeDupFileDescriptor(int fd)1177 status_t Parcel::writeDupFileDescriptor(int fd)
1178 {
1179 int dupFd = dup(fd);
1180 if (dupFd < 0) {
1181 return -errno;
1182 }
1183 status_t err = writeFileDescriptor(dupFd, true /*takeOwnership*/);
1184 if (err != OK) {
1185 close(dupFd);
1186 }
1187 return err;
1188 }
1189
writeUniqueFileDescriptor(const ScopedFd & fd)1190 status_t Parcel::writeUniqueFileDescriptor(const ScopedFd& fd) {
1191 return writeDupFileDescriptor(fd.get());
1192 }
1193
writeUniqueFileDescriptorVector(const std::vector<ScopedFd> & val)1194 status_t Parcel::writeUniqueFileDescriptorVector(const std::vector<ScopedFd>& val) {
1195 return writeTypedVector(val, &Parcel::writeUniqueFileDescriptor);
1196 }
1197
writeUniqueFileDescriptorVector(const std::unique_ptr<std::vector<ScopedFd>> & val)1198 status_t Parcel::writeUniqueFileDescriptorVector(const std::unique_ptr<std::vector<ScopedFd>>& val) {
1199 return writeNullableTypedVector(val, &Parcel::writeUniqueFileDescriptor);
1200 }
1201
writeBlob(size_t len,bool mutableCopy,WritableBlob * outBlob)1202 status_t Parcel::writeBlob(size_t len, bool mutableCopy, WritableBlob* outBlob)
1203 {
1204 if (len > INT32_MAX) {
1205 // don't accept size_t values which may have come from an
1206 // inadvertent conversion from a negative int.
1207 return BAD_VALUE;
1208 }
1209
1210 status_t status;
1211 if (!mAllowFds || len <= BLOB_INPLACE_LIMIT) {
1212 ALOGV("writeBlob: write in place");
1213 status = writeInt32(BLOB_INPLACE);
1214 if (status) return status;
1215
1216 void* ptr = writeInplace(len);
1217 if (!ptr) return NO_MEMORY;
1218
1219 outBlob->init(-1, ptr, len, false);
1220 return NO_ERROR;
1221 }
1222
1223 ALOGV("writeBlob: write to ashmem");
1224 int fd = ashmem_create_region("Parcel Blob", len);
1225 if (fd < 0) return NO_MEMORY;
1226
1227 int result = ashmem_set_prot_region(fd, PROT_READ | PROT_WRITE);
1228 if (result < 0) {
1229 status = result;
1230 } else {
1231 void* ptr = ::mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
1232 if (ptr == MAP_FAILED) {
1233 status = -errno;
1234 } else {
1235 if (!mutableCopy) {
1236 result = ashmem_set_prot_region(fd, PROT_READ);
1237 }
1238 if (result < 0) {
1239 status = result;
1240 } else {
1241 status = writeInt32(mutableCopy ? BLOB_ASHMEM_MUTABLE : BLOB_ASHMEM_IMMUTABLE);
1242 if (!status) {
1243 status = writeFileDescriptor(fd, true /*takeOwnership*/);
1244 if (!status) {
1245 outBlob->init(fd, ptr, len, mutableCopy);
1246 return NO_ERROR;
1247 }
1248 }
1249 }
1250 }
1251 ::munmap(ptr, len);
1252 }
1253 ::close(fd);
1254 return status;
1255 }
1256
writeDupImmutableBlobFileDescriptor(int fd)1257 status_t Parcel::writeDupImmutableBlobFileDescriptor(int fd)
1258 {
1259 // Must match up with what's done in writeBlob.
1260 if (!mAllowFds) return FDS_NOT_ALLOWED;
1261 status_t status = writeInt32(BLOB_ASHMEM_IMMUTABLE);
1262 if (status) return status;
1263 return writeDupFileDescriptor(fd);
1264 }
1265
write(const FlattenableHelperInterface & val)1266 status_t Parcel::write(const FlattenableHelperInterface& val)
1267 {
1268 status_t err;
1269
1270 // size if needed
1271 const size_t len = val.getFlattenedSize();
1272 const size_t fd_count = val.getFdCount();
1273
1274 if ((len > INT32_MAX) || (fd_count >= gMaxFds)) {
1275 // don't accept size_t values which may have come from an
1276 // inadvertent conversion from a negative int.
1277 return BAD_VALUE;
1278 }
1279
1280 err = this->writeInt32(len);
1281 if (err) return err;
1282
1283 err = this->writeInt32(fd_count);
1284 if (err) return err;
1285
1286 // payload
1287 void* const buf = this->writeInplace(pad_size(len));
1288 if (buf == NULL)
1289 return BAD_VALUE;
1290
1291 int* fds = NULL;
1292 if (fd_count) {
1293 fds = new (std::nothrow) int[fd_count];
1294 if (fds == nullptr) {
1295 ALOGE("write: failed to allocate requested %zu fds", fd_count);
1296 return BAD_VALUE;
1297 }
1298 }
1299
1300 err = val.flatten(buf, len, fds, fd_count);
1301 for (size_t i=0 ; i<fd_count && err==NO_ERROR ; i++) {
1302 err = this->writeDupFileDescriptor( fds[i] );
1303 }
1304
1305 if (fd_count) {
1306 delete [] fds;
1307 }
1308
1309 return err;
1310 }
1311
writeObject(const flat_binder_object & val,bool nullMetaData)1312 status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
1313 {
1314 const bool enoughData = (mDataPos+sizeof(val)) <= mDataCapacity;
1315 const bool enoughObjects = mObjectsSize < mObjectsCapacity;
1316 if (enoughData && enoughObjects) {
1317 restart_write:
1318 *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
1319
1320 // remember if it's a file descriptor
1321 if (val.type == BINDER_TYPE_FD) {
1322 if (!mAllowFds) {
1323 // fail before modifying our object index
1324 return FDS_NOT_ALLOWED;
1325 }
1326 mHasFds = mFdsKnown = true;
1327 }
1328
1329 // Need to write meta-data?
1330 if (nullMetaData || val.binder != 0) {
1331 mObjects[mObjectsSize] = mDataPos;
1332 acquire_object(ProcessState::self(), val, this, &mOpenAshmemSize);
1333 mObjectsSize++;
1334 }
1335
1336 return finishWrite(sizeof(flat_binder_object));
1337 }
1338
1339 if (!enoughData) {
1340 const status_t err = growData(sizeof(val));
1341 if (err != NO_ERROR) return err;
1342 }
1343 if (!enoughObjects) {
1344 size_t newSize = ((mObjectsSize+2)*3)/2;
1345 if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow
1346 binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
1347 if (objects == NULL) return NO_MEMORY;
1348 mObjects = objects;
1349 mObjectsCapacity = newSize;
1350 }
1351
1352 goto restart_write;
1353 }
1354
writeNoException()1355 status_t Parcel::writeNoException()
1356 {
1357 binder::Status status;
1358 return status.writeToParcel(this);
1359 }
1360
remove(size_t,size_t)1361 void Parcel::remove(size_t /*start*/, size_t /*amt*/)
1362 {
1363 LOG_ALWAYS_FATAL("Parcel::remove() not yet implemented!");
1364 }
1365
read(void * outData,size_t len) const1366 status_t Parcel::read(void* outData, size_t len) const
1367 {
1368 if (len > INT32_MAX) {
1369 // don't accept size_t values which may have come from an
1370 // inadvertent conversion from a negative int.
1371 return BAD_VALUE;
1372 }
1373
1374 if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
1375 && len <= pad_size(len)) {
1376 memcpy(outData, mData+mDataPos, len);
1377 mDataPos += pad_size(len);
1378 ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
1379 return NO_ERROR;
1380 }
1381 return NOT_ENOUGH_DATA;
1382 }
1383
readInplace(size_t len) const1384 const void* Parcel::readInplace(size_t len) const
1385 {
1386 if (len > INT32_MAX) {
1387 // don't accept size_t values which may have come from an
1388 // inadvertent conversion from a negative int.
1389 return NULL;
1390 }
1391
1392 if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
1393 && len <= pad_size(len)) {
1394 const void* data = mData+mDataPos;
1395 mDataPos += pad_size(len);
1396 ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
1397 return data;
1398 }
1399 return NULL;
1400 }
1401
1402 template<class T>
readAligned(T * pArg) const1403 status_t Parcel::readAligned(T *pArg) const {
1404 COMPILE_TIME_ASSERT_FUNCTION_SCOPE(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T));
1405
1406 if ((mDataPos+sizeof(T)) <= mDataSize) {
1407 const void* data = mData+mDataPos;
1408 mDataPos += sizeof(T);
1409 *pArg = *reinterpret_cast<const T*>(data);
1410 return NO_ERROR;
1411 } else {
1412 return NOT_ENOUGH_DATA;
1413 }
1414 }
1415
1416 template<class T>
readAligned() const1417 T Parcel::readAligned() const {
1418 T result;
1419 if (readAligned(&result) != NO_ERROR) {
1420 result = 0;
1421 }
1422
1423 return result;
1424 }
1425
1426 template<class T>
writeAligned(T val)1427 status_t Parcel::writeAligned(T val) {
1428 COMPILE_TIME_ASSERT_FUNCTION_SCOPE(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T));
1429
1430 if ((mDataPos+sizeof(val)) <= mDataCapacity) {
1431 restart_write:
1432 *reinterpret_cast<T*>(mData+mDataPos) = val;
1433 return finishWrite(sizeof(val));
1434 }
1435
1436 status_t err = growData(sizeof(val));
1437 if (err == NO_ERROR) goto restart_write;
1438 return err;
1439 }
1440
1441 namespace {
1442
1443 template<typename T>
readByteVectorInternal(const Parcel * parcel,std::vector<T> * val)1444 status_t readByteVectorInternal(const Parcel* parcel,
1445 std::vector<T>* val) {
1446 val->clear();
1447
1448 int32_t size;
1449 status_t status = parcel->readInt32(&size);
1450
1451 if (status != OK) {
1452 return status;
1453 }
1454
1455 if (size < 0) {
1456 status = UNEXPECTED_NULL;
1457 return status;
1458 }
1459 if (size_t(size) > parcel->dataAvail()) {
1460 status = BAD_VALUE;
1461 return status;
1462 }
1463
1464 const void* data = parcel->readInplace(size);
1465 if (!data) {
1466 status = BAD_VALUE;
1467 return status;
1468 }
1469 val->resize(size);
1470 memcpy(val->data(), data, size);
1471
1472 return status;
1473 }
1474
1475 template<typename T>
readByteVectorInternalPtr(const Parcel * parcel,std::unique_ptr<std::vector<T>> * val)1476 status_t readByteVectorInternalPtr(
1477 const Parcel* parcel,
1478 std::unique_ptr<std::vector<T>>* val) {
1479 const int32_t start = parcel->dataPosition();
1480 int32_t size;
1481 status_t status = parcel->readInt32(&size);
1482 val->reset();
1483
1484 if (status != OK || size < 0) {
1485 return status;
1486 }
1487
1488 parcel->setDataPosition(start);
1489 val->reset(new (std::nothrow) std::vector<T>());
1490
1491 status = readByteVectorInternal(parcel, val->get());
1492
1493 if (status != OK) {
1494 val->reset();
1495 }
1496
1497 return status;
1498 }
1499
1500 } // namespace
1501
readByteVector(std::vector<int8_t> * val) const1502 status_t Parcel::readByteVector(std::vector<int8_t>* val) const {
1503 return readByteVectorInternal(this, val);
1504 }
1505
readByteVector(std::vector<uint8_t> * val) const1506 status_t Parcel::readByteVector(std::vector<uint8_t>* val) const {
1507 return readByteVectorInternal(this, val);
1508 }
1509
readByteVector(std::unique_ptr<std::vector<int8_t>> * val) const1510 status_t Parcel::readByteVector(std::unique_ptr<std::vector<int8_t>>* val) const {
1511 return readByteVectorInternalPtr(this, val);
1512 }
1513
readByteVector(std::unique_ptr<std::vector<uint8_t>> * val) const1514 status_t Parcel::readByteVector(std::unique_ptr<std::vector<uint8_t>>* val) const {
1515 return readByteVectorInternalPtr(this, val);
1516 }
1517
readInt32Vector(std::unique_ptr<std::vector<int32_t>> * val) const1518 status_t Parcel::readInt32Vector(std::unique_ptr<std::vector<int32_t>>* val) const {
1519 return readNullableTypedVector(val, &Parcel::readInt32);
1520 }
1521
readInt32Vector(std::vector<int32_t> * val) const1522 status_t Parcel::readInt32Vector(std::vector<int32_t>* val) const {
1523 return readTypedVector(val, &Parcel::readInt32);
1524 }
1525
readInt64Vector(std::unique_ptr<std::vector<int64_t>> * val) const1526 status_t Parcel::readInt64Vector(std::unique_ptr<std::vector<int64_t>>* val) const {
1527 return readNullableTypedVector(val, &Parcel::readInt64);
1528 }
1529
readInt64Vector(std::vector<int64_t> * val) const1530 status_t Parcel::readInt64Vector(std::vector<int64_t>* val) const {
1531 return readTypedVector(val, &Parcel::readInt64);
1532 }
1533
readFloatVector(std::unique_ptr<std::vector<float>> * val) const1534 status_t Parcel::readFloatVector(std::unique_ptr<std::vector<float>>* val) const {
1535 return readNullableTypedVector(val, &Parcel::readFloat);
1536 }
1537
readFloatVector(std::vector<float> * val) const1538 status_t Parcel::readFloatVector(std::vector<float>* val) const {
1539 return readTypedVector(val, &Parcel::readFloat);
1540 }
1541
readDoubleVector(std::unique_ptr<std::vector<double>> * val) const1542 status_t Parcel::readDoubleVector(std::unique_ptr<std::vector<double>>* val) const {
1543 return readNullableTypedVector(val, &Parcel::readDouble);
1544 }
1545
readDoubleVector(std::vector<double> * val) const1546 status_t Parcel::readDoubleVector(std::vector<double>* val) const {
1547 return readTypedVector(val, &Parcel::readDouble);
1548 }
1549
readBoolVector(std::unique_ptr<std::vector<bool>> * val) const1550 status_t Parcel::readBoolVector(std::unique_ptr<std::vector<bool>>* val) const {
1551 const int32_t start = dataPosition();
1552 int32_t size;
1553 status_t status = readInt32(&size);
1554 val->reset();
1555
1556 if (status != OK || size < 0) {
1557 return status;
1558 }
1559
1560 setDataPosition(start);
1561 val->reset(new (std::nothrow) std::vector<bool>());
1562
1563 status = readBoolVector(val->get());
1564
1565 if (status != OK) {
1566 val->reset();
1567 }
1568
1569 return status;
1570 }
1571
readBoolVector(std::vector<bool> * val) const1572 status_t Parcel::readBoolVector(std::vector<bool>* val) const {
1573 int32_t size;
1574 status_t status = readInt32(&size);
1575
1576 if (status != OK) {
1577 return status;
1578 }
1579
1580 if (size < 0) {
1581 return UNEXPECTED_NULL;
1582 }
1583
1584 val->resize(size);
1585
1586 /* C++ bool handling means a vector of bools isn't necessarily addressable
1587 * (we might use individual bits)
1588 */
1589 bool data;
1590 for (int32_t i = 0; i < size; ++i) {
1591 status = readBool(&data);
1592 (*val)[i] = data;
1593
1594 if (status != OK) {
1595 return status;
1596 }
1597 }
1598
1599 return OK;
1600 }
1601
readCharVector(std::unique_ptr<std::vector<char16_t>> * val) const1602 status_t Parcel::readCharVector(std::unique_ptr<std::vector<char16_t>>* val) const {
1603 return readNullableTypedVector(val, &Parcel::readChar);
1604 }
1605
readCharVector(std::vector<char16_t> * val) const1606 status_t Parcel::readCharVector(std::vector<char16_t>* val) const {
1607 return readTypedVector(val, &Parcel::readChar);
1608 }
1609
readString16Vector(std::unique_ptr<std::vector<std::unique_ptr<String16>>> * val) const1610 status_t Parcel::readString16Vector(
1611 std::unique_ptr<std::vector<std::unique_ptr<String16>>>* val) const {
1612 return readNullableTypedVector(val, &Parcel::readString16);
1613 }
1614
readString16Vector(std::vector<String16> * val) const1615 status_t Parcel::readString16Vector(std::vector<String16>* val) const {
1616 return readTypedVector(val, &Parcel::readString16);
1617 }
1618
readUtf8VectorFromUtf16Vector(std::unique_ptr<std::vector<std::unique_ptr<std::string>>> * val) const1619 status_t Parcel::readUtf8VectorFromUtf16Vector(
1620 std::unique_ptr<std::vector<std::unique_ptr<std::string>>>* val) const {
1621 return readNullableTypedVector(val, &Parcel::readUtf8FromUtf16);
1622 }
1623
readUtf8VectorFromUtf16Vector(std::vector<std::string> * val) const1624 status_t Parcel::readUtf8VectorFromUtf16Vector(std::vector<std::string>* val) const {
1625 return readTypedVector(val, &Parcel::readUtf8FromUtf16);
1626 }
1627
readInt32(int32_t * pArg) const1628 status_t Parcel::readInt32(int32_t *pArg) const
1629 {
1630 return readAligned(pArg);
1631 }
1632
readInt32() const1633 int32_t Parcel::readInt32() const
1634 {
1635 return readAligned<int32_t>();
1636 }
1637
readUint32(uint32_t * pArg) const1638 status_t Parcel::readUint32(uint32_t *pArg) const
1639 {
1640 return readAligned(pArg);
1641 }
1642
readUint32() const1643 uint32_t Parcel::readUint32() const
1644 {
1645 return readAligned<uint32_t>();
1646 }
1647
readInt64(int64_t * pArg) const1648 status_t Parcel::readInt64(int64_t *pArg) const
1649 {
1650 return readAligned(pArg);
1651 }
1652
1653
readInt64() const1654 int64_t Parcel::readInt64() const
1655 {
1656 return readAligned<int64_t>();
1657 }
1658
readUint64(uint64_t * pArg) const1659 status_t Parcel::readUint64(uint64_t *pArg) const
1660 {
1661 return readAligned(pArg);
1662 }
1663
readUint64() const1664 uint64_t Parcel::readUint64() const
1665 {
1666 return readAligned<uint64_t>();
1667 }
1668
readPointer(uintptr_t * pArg) const1669 status_t Parcel::readPointer(uintptr_t *pArg) const
1670 {
1671 status_t ret;
1672 binder_uintptr_t ptr;
1673 ret = readAligned(&ptr);
1674 if (!ret)
1675 *pArg = ptr;
1676 return ret;
1677 }
1678
readPointer() const1679 uintptr_t Parcel::readPointer() const
1680 {
1681 return readAligned<binder_uintptr_t>();
1682 }
1683
1684
readFloat(float * pArg) const1685 status_t Parcel::readFloat(float *pArg) const
1686 {
1687 return readAligned(pArg);
1688 }
1689
1690
readFloat() const1691 float Parcel::readFloat() const
1692 {
1693 return readAligned<float>();
1694 }
1695
1696 #if defined(__mips__) && defined(__mips_hard_float)
1697
readDouble(double * pArg) const1698 status_t Parcel::readDouble(double *pArg) const
1699 {
1700 union {
1701 double d;
1702 unsigned long long ll;
1703 } u;
1704 u.d = 0;
1705 status_t status;
1706 status = readAligned(&u.ll);
1707 *pArg = u.d;
1708 return status;
1709 }
1710
readDouble() const1711 double Parcel::readDouble() const
1712 {
1713 union {
1714 double d;
1715 unsigned long long ll;
1716 } u;
1717 u.ll = readAligned<unsigned long long>();
1718 return u.d;
1719 }
1720
1721 #else
1722
readDouble(double * pArg) const1723 status_t Parcel::readDouble(double *pArg) const
1724 {
1725 return readAligned(pArg);
1726 }
1727
readDouble() const1728 double Parcel::readDouble() const
1729 {
1730 return readAligned<double>();
1731 }
1732
1733 #endif
1734
readIntPtr(intptr_t * pArg) const1735 status_t Parcel::readIntPtr(intptr_t *pArg) const
1736 {
1737 return readAligned(pArg);
1738 }
1739
1740
readIntPtr() const1741 intptr_t Parcel::readIntPtr() const
1742 {
1743 return readAligned<intptr_t>();
1744 }
1745
readBool(bool * pArg) const1746 status_t Parcel::readBool(bool *pArg) const
1747 {
1748 int32_t tmp;
1749 status_t ret = readInt32(&tmp);
1750 *pArg = (tmp != 0);
1751 return ret;
1752 }
1753
readBool() const1754 bool Parcel::readBool() const
1755 {
1756 return readInt32() != 0;
1757 }
1758
readChar(char16_t * pArg) const1759 status_t Parcel::readChar(char16_t *pArg) const
1760 {
1761 int32_t tmp;
1762 status_t ret = readInt32(&tmp);
1763 *pArg = char16_t(tmp);
1764 return ret;
1765 }
1766
readChar() const1767 char16_t Parcel::readChar() const
1768 {
1769 return char16_t(readInt32());
1770 }
1771
readByte(int8_t * pArg) const1772 status_t Parcel::readByte(int8_t *pArg) const
1773 {
1774 int32_t tmp;
1775 status_t ret = readInt32(&tmp);
1776 *pArg = int8_t(tmp);
1777 return ret;
1778 }
1779
readByte() const1780 int8_t Parcel::readByte() const
1781 {
1782 return int8_t(readInt32());
1783 }
1784
readUtf8FromUtf16(std::string * str) const1785 status_t Parcel::readUtf8FromUtf16(std::string* str) const {
1786 size_t utf16Size = 0;
1787 const char16_t* src = readString16Inplace(&utf16Size);
1788 if (!src) {
1789 return UNEXPECTED_NULL;
1790 }
1791
1792 // Save ourselves the trouble, we're done.
1793 if (utf16Size == 0u) {
1794 str->clear();
1795 return NO_ERROR;
1796 }
1797
1798 // Allow for closing '\0'
1799 ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size) + 1;
1800 if (utf8Size < 1) {
1801 return BAD_VALUE;
1802 }
1803 // Note that while it is probably safe to assume string::resize keeps a
1804 // spare byte around for the trailing null, we still pass the size including the trailing null
1805 str->resize(utf8Size);
1806 utf16_to_utf8(src, utf16Size, &((*str)[0]), utf8Size);
1807 str->resize(utf8Size - 1);
1808 return NO_ERROR;
1809 }
1810
readUtf8FromUtf16(std::unique_ptr<std::string> * str) const1811 status_t Parcel::readUtf8FromUtf16(std::unique_ptr<std::string>* str) const {
1812 const int32_t start = dataPosition();
1813 int32_t size;
1814 status_t status = readInt32(&size);
1815 str->reset();
1816
1817 if (status != OK || size < 0) {
1818 return status;
1819 }
1820
1821 setDataPosition(start);
1822 str->reset(new (std::nothrow) std::string());
1823 return readUtf8FromUtf16(str->get());
1824 }
1825
readCString() const1826 const char* Parcel::readCString() const
1827 {
1828 const size_t avail = mDataSize-mDataPos;
1829 if (avail > 0) {
1830 const char* str = reinterpret_cast<const char*>(mData+mDataPos);
1831 // is the string's trailing NUL within the parcel's valid bounds?
1832 const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
1833 if (eos) {
1834 const size_t len = eos - str;
1835 mDataPos += pad_size(len+1);
1836 ALOGV("readCString Setting data pos of %p to %zu", this, mDataPos);
1837 return str;
1838 }
1839 }
1840 return NULL;
1841 }
1842
readString8() const1843 String8 Parcel::readString8() const
1844 {
1845 int32_t size = readInt32();
1846 // watch for potential int overflow adding 1 for trailing NUL
1847 if (size > 0 && size < INT32_MAX) {
1848 const char* str = (const char*)readInplace(size+1);
1849 if (str) return String8(str, size);
1850 }
1851 return String8();
1852 }
1853
readString16() const1854 String16 Parcel::readString16() const
1855 {
1856 size_t len;
1857 const char16_t* str = readString16Inplace(&len);
1858 if (str) return String16(str, len);
1859 ALOGE("Reading a NULL string not supported here.");
1860 return String16();
1861 }
1862
readString16(std::unique_ptr<String16> * pArg) const1863 status_t Parcel::readString16(std::unique_ptr<String16>* pArg) const
1864 {
1865 const int32_t start = dataPosition();
1866 int32_t size;
1867 status_t status = readInt32(&size);
1868 pArg->reset();
1869
1870 if (status != OK || size < 0) {
1871 return status;
1872 }
1873
1874 setDataPosition(start);
1875 pArg->reset(new (std::nothrow) String16());
1876
1877 status = readString16(pArg->get());
1878
1879 if (status != OK) {
1880 pArg->reset();
1881 }
1882
1883 return status;
1884 }
1885
readString16(String16 * pArg) const1886 status_t Parcel::readString16(String16* pArg) const
1887 {
1888 size_t len;
1889 const char16_t* str = readString16Inplace(&len);
1890 if (str) {
1891 pArg->setTo(str, len);
1892 return 0;
1893 } else {
1894 *pArg = String16();
1895 return UNEXPECTED_NULL;
1896 }
1897 }
1898
readString16Inplace(size_t * outLen) const1899 const char16_t* Parcel::readString16Inplace(size_t* outLen) const
1900 {
1901 int32_t size = readInt32();
1902 // watch for potential int overflow from size+1
1903 if (size >= 0 && size < INT32_MAX) {
1904 *outLen = size;
1905 const char16_t* str = (const char16_t*)readInplace((size+1)*sizeof(char16_t));
1906 if (str != NULL) {
1907 return str;
1908 }
1909 }
1910 *outLen = 0;
1911 return NULL;
1912 }
1913
readStrongBinder(sp<IBinder> * val) const1914 status_t Parcel::readStrongBinder(sp<IBinder>* val) const
1915 {
1916 return unflatten_binder(ProcessState::self(), *this, val);
1917 }
1918
readStrongBinder() const1919 sp<IBinder> Parcel::readStrongBinder() const
1920 {
1921 sp<IBinder> val;
1922 readStrongBinder(&val);
1923 return val;
1924 }
1925
readWeakBinder() const1926 wp<IBinder> Parcel::readWeakBinder() const
1927 {
1928 wp<IBinder> val;
1929 unflatten_binder(ProcessState::self(), *this, &val);
1930 return val;
1931 }
1932
readParcelable(Parcelable * parcelable) const1933 status_t Parcel::readParcelable(Parcelable* parcelable) const {
1934 int32_t have_parcelable = 0;
1935 status_t status = readInt32(&have_parcelable);
1936 if (status != OK) {
1937 return status;
1938 }
1939 if (!have_parcelable) {
1940 return UNEXPECTED_NULL;
1941 }
1942 return parcelable->readFromParcel(this);
1943 }
1944
readExceptionCode() const1945 int32_t Parcel::readExceptionCode() const
1946 {
1947 binder::Status status;
1948 status.readFromParcel(*this);
1949 return status.exceptionCode();
1950 }
1951
readNativeHandle() const1952 native_handle* Parcel::readNativeHandle() const
1953 {
1954 int numFds, numInts;
1955 status_t err;
1956 err = readInt32(&numFds);
1957 if (err != NO_ERROR) return 0;
1958 err = readInt32(&numInts);
1959 if (err != NO_ERROR) return 0;
1960
1961 native_handle* h = native_handle_create(numFds, numInts);
1962 if (!h) {
1963 return 0;
1964 }
1965
1966 for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
1967 h->data[i] = dup(readFileDescriptor());
1968 if (h->data[i] < 0) {
1969 for (int j = 0; j < i; j++) {
1970 close(h->data[j]);
1971 }
1972 native_handle_delete(h);
1973 return 0;
1974 }
1975 }
1976 err = read(h->data + numFds, sizeof(int)*numInts);
1977 if (err != NO_ERROR) {
1978 native_handle_close(h);
1979 native_handle_delete(h);
1980 h = 0;
1981 }
1982 return h;
1983 }
1984
1985
readFileDescriptor() const1986 int Parcel::readFileDescriptor() const
1987 {
1988 const flat_binder_object* flat = readObject(true);
1989
1990 if (flat && flat->type == BINDER_TYPE_FD) {
1991 return flat->handle;
1992 }
1993
1994 return BAD_TYPE;
1995 }
1996
readUniqueFileDescriptor(ScopedFd * val) const1997 status_t Parcel::readUniqueFileDescriptor(ScopedFd* val) const
1998 {
1999 int got = readFileDescriptor();
2000
2001 if (got == BAD_TYPE) {
2002 return BAD_TYPE;
2003 }
2004
2005 val->reset(dup(got));
2006
2007 if (val->get() < 0) {
2008 return BAD_VALUE;
2009 }
2010
2011 return OK;
2012 }
2013
2014
readUniqueFileDescriptorVector(std::unique_ptr<std::vector<ScopedFd>> * val) const2015 status_t Parcel::readUniqueFileDescriptorVector(std::unique_ptr<std::vector<ScopedFd>>* val) const {
2016 return readNullableTypedVector(val, &Parcel::readUniqueFileDescriptor);
2017 }
2018
readUniqueFileDescriptorVector(std::vector<ScopedFd> * val) const2019 status_t Parcel::readUniqueFileDescriptorVector(std::vector<ScopedFd>* val) const {
2020 return readTypedVector(val, &Parcel::readUniqueFileDescriptor);
2021 }
2022
readBlob(size_t len,ReadableBlob * outBlob) const2023 status_t Parcel::readBlob(size_t len, ReadableBlob* outBlob) const
2024 {
2025 int32_t blobType;
2026 status_t status = readInt32(&blobType);
2027 if (status) return status;
2028
2029 if (blobType == BLOB_INPLACE) {
2030 ALOGV("readBlob: read in place");
2031 const void* ptr = readInplace(len);
2032 if (!ptr) return BAD_VALUE;
2033
2034 outBlob->init(-1, const_cast<void*>(ptr), len, false);
2035 return NO_ERROR;
2036 }
2037
2038 ALOGV("readBlob: read from ashmem");
2039 bool isMutable = (blobType == BLOB_ASHMEM_MUTABLE);
2040 int fd = readFileDescriptor();
2041 if (fd == int(BAD_TYPE)) return BAD_VALUE;
2042
2043 void* ptr = ::mmap(NULL, len, isMutable ? PROT_READ | PROT_WRITE : PROT_READ,
2044 MAP_SHARED, fd, 0);
2045 if (ptr == MAP_FAILED) return NO_MEMORY;
2046
2047 outBlob->init(fd, ptr, len, isMutable);
2048 return NO_ERROR;
2049 }
2050
read(FlattenableHelperInterface & val) const2051 status_t Parcel::read(FlattenableHelperInterface& val) const
2052 {
2053 // size
2054 const size_t len = this->readInt32();
2055 const size_t fd_count = this->readInt32();
2056
2057 if ((len > INT32_MAX) || (fd_count >= gMaxFds)) {
2058 // don't accept size_t values which may have come from an
2059 // inadvertent conversion from a negative int.
2060 return BAD_VALUE;
2061 }
2062
2063 // payload
2064 void const* const buf = this->readInplace(pad_size(len));
2065 if (buf == NULL)
2066 return BAD_VALUE;
2067
2068 int* fds = NULL;
2069 if (fd_count) {
2070 fds = new (std::nothrow) int[fd_count];
2071 if (fds == nullptr) {
2072 ALOGE("read: failed to allocate requested %zu fds", fd_count);
2073 return BAD_VALUE;
2074 }
2075 }
2076
2077 status_t err = NO_ERROR;
2078 for (size_t i=0 ; i<fd_count && err==NO_ERROR ; i++) {
2079 fds[i] = dup(this->readFileDescriptor());
2080 if (fds[i] < 0) {
2081 err = BAD_VALUE;
2082 ALOGE("dup() failed in Parcel::read, i is %zu, fds[i] is %d, fd_count is %zu, error: %s",
2083 i, fds[i], fd_count, strerror(errno));
2084 }
2085 }
2086
2087 if (err == NO_ERROR) {
2088 err = val.unflatten(buf, len, fds, fd_count);
2089 }
2090
2091 if (fd_count) {
2092 delete [] fds;
2093 }
2094
2095 return err;
2096 }
readObject(bool nullMetaData) const2097 const flat_binder_object* Parcel::readObject(bool nullMetaData) const
2098 {
2099 const size_t DPOS = mDataPos;
2100 if ((DPOS+sizeof(flat_binder_object)) <= mDataSize) {
2101 const flat_binder_object* obj
2102 = reinterpret_cast<const flat_binder_object*>(mData+DPOS);
2103 mDataPos = DPOS + sizeof(flat_binder_object);
2104 if (!nullMetaData && (obj->cookie == 0 && obj->binder == 0)) {
2105 // When transferring a NULL object, we don't write it into
2106 // the object list, so we don't want to check for it when
2107 // reading.
2108 ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
2109 return obj;
2110 }
2111
2112 // Ensure that this object is valid...
2113 binder_size_t* const OBJS = mObjects;
2114 const size_t N = mObjectsSize;
2115 size_t opos = mNextObjectHint;
2116
2117 if (N > 0) {
2118 ALOGV("Parcel %p looking for obj at %zu, hint=%zu",
2119 this, DPOS, opos);
2120
2121 // Start at the current hint position, looking for an object at
2122 // the current data position.
2123 if (opos < N) {
2124 while (opos < (N-1) && OBJS[opos] < DPOS) {
2125 opos++;
2126 }
2127 } else {
2128 opos = N-1;
2129 }
2130 if (OBJS[opos] == DPOS) {
2131 // Found it!
2132 ALOGV("Parcel %p found obj %zu at index %zu with forward search",
2133 this, DPOS, opos);
2134 mNextObjectHint = opos+1;
2135 ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
2136 return obj;
2137 }
2138
2139 // Look backwards for it...
2140 while (opos > 0 && OBJS[opos] > DPOS) {
2141 opos--;
2142 }
2143 if (OBJS[opos] == DPOS) {
2144 // Found it!
2145 ALOGV("Parcel %p found obj %zu at index %zu with backward search",
2146 this, DPOS, opos);
2147 mNextObjectHint = opos+1;
2148 ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
2149 return obj;
2150 }
2151 }
2152 ALOGW("Attempt to read object from Parcel %p at offset %zu that is not in the object list",
2153 this, DPOS);
2154 }
2155 return NULL;
2156 }
2157
closeFileDescriptors()2158 void Parcel::closeFileDescriptors()
2159 {
2160 size_t i = mObjectsSize;
2161 if (i > 0) {
2162 //ALOGI("Closing file descriptors for %zu objects...", i);
2163 }
2164 while (i > 0) {
2165 i--;
2166 const flat_binder_object* flat
2167 = reinterpret_cast<flat_binder_object*>(mData+mObjects[i]);
2168 if (flat->type == BINDER_TYPE_FD) {
2169 //ALOGI("Closing fd: %ld", flat->handle);
2170 close(flat->handle);
2171 }
2172 }
2173 }
2174
ipcData() const2175 uintptr_t Parcel::ipcData() const
2176 {
2177 return reinterpret_cast<uintptr_t>(mData);
2178 }
2179
ipcDataSize() const2180 size_t Parcel::ipcDataSize() const
2181 {
2182 return (mDataSize > mDataPos ? mDataSize : mDataPos);
2183 }
2184
ipcObjects() const2185 uintptr_t Parcel::ipcObjects() const
2186 {
2187 return reinterpret_cast<uintptr_t>(mObjects);
2188 }
2189
ipcObjectsCount() const2190 size_t Parcel::ipcObjectsCount() const
2191 {
2192 return mObjectsSize;
2193 }
2194
ipcSetDataReference(const uint8_t * data,size_t dataSize,const binder_size_t * objects,size_t objectsCount,release_func relFunc,void * relCookie)2195 void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
2196 const binder_size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
2197 {
2198 binder_size_t minOffset = 0;
2199 freeDataNoInit();
2200 mError = NO_ERROR;
2201 mData = const_cast<uint8_t*>(data);
2202 mDataSize = mDataCapacity = dataSize;
2203 //ALOGI("setDataReference Setting data size of %p to %lu (pid=%d)", this, mDataSize, getpid());
2204 mDataPos = 0;
2205 ALOGV("setDataReference Setting data pos of %p to %zu", this, mDataPos);
2206 mObjects = const_cast<binder_size_t*>(objects);
2207 mObjectsSize = mObjectsCapacity = objectsCount;
2208 mNextObjectHint = 0;
2209 mOwner = relFunc;
2210 mOwnerCookie = relCookie;
2211 for (size_t i = 0; i < mObjectsSize; i++) {
2212 binder_size_t offset = mObjects[i];
2213 if (offset < minOffset) {
2214 ALOGE("%s: bad object offset %" PRIu64 " < %" PRIu64 "\n",
2215 __func__, (uint64_t)offset, (uint64_t)minOffset);
2216 mObjectsSize = 0;
2217 break;
2218 }
2219 minOffset = offset + sizeof(flat_binder_object);
2220 }
2221 scanForFds();
2222 }
2223
print(TextOutput & to,uint32_t) const2224 void Parcel::print(TextOutput& to, uint32_t /*flags*/) const
2225 {
2226 to << "Parcel(";
2227
2228 if (errorCheck() != NO_ERROR) {
2229 const status_t err = errorCheck();
2230 to << "Error: " << (void*)(intptr_t)err << " \"" << strerror(-err) << "\"";
2231 } else if (dataSize() > 0) {
2232 const uint8_t* DATA = data();
2233 to << indent << HexDump(DATA, dataSize()) << dedent;
2234 const binder_size_t* OBJS = objects();
2235 const size_t N = objectsCount();
2236 for (size_t i=0; i<N; i++) {
2237 const flat_binder_object* flat
2238 = reinterpret_cast<const flat_binder_object*>(DATA+OBJS[i]);
2239 to << endl << "Object #" << i << " @ " << (void*)OBJS[i] << ": "
2240 << TypeCode(flat->type & 0x7f7f7f00)
2241 << " = " << flat->binder;
2242 }
2243 } else {
2244 to << "NULL";
2245 }
2246
2247 to << ")";
2248 }
2249
releaseObjects()2250 void Parcel::releaseObjects()
2251 {
2252 const sp<ProcessState> proc(ProcessState::self());
2253 size_t i = mObjectsSize;
2254 uint8_t* const data = mData;
2255 binder_size_t* const objects = mObjects;
2256 while (i > 0) {
2257 i--;
2258 const flat_binder_object* flat
2259 = reinterpret_cast<flat_binder_object*>(data+objects[i]);
2260 release_object(proc, *flat, this, &mOpenAshmemSize);
2261 }
2262 }
2263
acquireObjects()2264 void Parcel::acquireObjects()
2265 {
2266 const sp<ProcessState> proc(ProcessState::self());
2267 size_t i = mObjectsSize;
2268 uint8_t* const data = mData;
2269 binder_size_t* const objects = mObjects;
2270 while (i > 0) {
2271 i--;
2272 const flat_binder_object* flat
2273 = reinterpret_cast<flat_binder_object*>(data+objects[i]);
2274 acquire_object(proc, *flat, this, &mOpenAshmemSize);
2275 }
2276 }
2277
freeData()2278 void Parcel::freeData()
2279 {
2280 freeDataNoInit();
2281 initState();
2282 }
2283
freeDataNoInit()2284 void Parcel::freeDataNoInit()
2285 {
2286 if (mOwner) {
2287 LOG_ALLOC("Parcel %p: freeing other owner data", this);
2288 //ALOGI("Freeing data ref of %p (pid=%d)", this, getpid());
2289 mOwner(this, mData, mDataSize, mObjects, mObjectsSize, mOwnerCookie);
2290 } else {
2291 LOG_ALLOC("Parcel %p: freeing allocated data", this);
2292 releaseObjects();
2293 if (mData) {
2294 LOG_ALLOC("Parcel %p: freeing with %zu capacity", this, mDataCapacity);
2295 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
2296 if (mDataCapacity <= gParcelGlobalAllocSize) {
2297 gParcelGlobalAllocSize = gParcelGlobalAllocSize - mDataCapacity;
2298 } else {
2299 gParcelGlobalAllocSize = 0;
2300 }
2301 if (gParcelGlobalAllocCount > 0) {
2302 gParcelGlobalAllocCount--;
2303 }
2304 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
2305 free(mData);
2306 }
2307 if (mObjects) free(mObjects);
2308 }
2309 }
2310
growData(size_t len)2311 status_t Parcel::growData(size_t len)
2312 {
2313 if (len > INT32_MAX) {
2314 // don't accept size_t values which may have come from an
2315 // inadvertent conversion from a negative int.
2316 return BAD_VALUE;
2317 }
2318
2319 size_t newSize = ((mDataSize+len)*3)/2;
2320 return (newSize <= mDataSize)
2321 ? (status_t) NO_MEMORY
2322 : continueWrite(newSize);
2323 }
2324
restartWrite(size_t desired)2325 status_t Parcel::restartWrite(size_t desired)
2326 {
2327 if (desired > INT32_MAX) {
2328 // don't accept size_t values which may have come from an
2329 // inadvertent conversion from a negative int.
2330 return BAD_VALUE;
2331 }
2332
2333 if (mOwner) {
2334 freeData();
2335 return continueWrite(desired);
2336 }
2337
2338 uint8_t* data = (uint8_t*)realloc(mData, desired);
2339 if (!data && desired > mDataCapacity) {
2340 mError = NO_MEMORY;
2341 return NO_MEMORY;
2342 }
2343
2344 releaseObjects();
2345
2346 if (data) {
2347 LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
2348 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
2349 gParcelGlobalAllocSize += desired;
2350 gParcelGlobalAllocSize -= mDataCapacity;
2351 if (!mData) {
2352 gParcelGlobalAllocCount++;
2353 }
2354 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
2355 mData = data;
2356 mDataCapacity = desired;
2357 }
2358
2359 mDataSize = mDataPos = 0;
2360 ALOGV("restartWrite Setting data size of %p to %zu", this, mDataSize);
2361 ALOGV("restartWrite Setting data pos of %p to %zu", this, mDataPos);
2362
2363 free(mObjects);
2364 mObjects = NULL;
2365 mObjectsSize = mObjectsCapacity = 0;
2366 mNextObjectHint = 0;
2367 mHasFds = false;
2368 mFdsKnown = true;
2369 mAllowFds = true;
2370
2371 return NO_ERROR;
2372 }
2373
continueWrite(size_t desired)2374 status_t Parcel::continueWrite(size_t desired)
2375 {
2376 if (desired > INT32_MAX) {
2377 // don't accept size_t values which may have come from an
2378 // inadvertent conversion from a negative int.
2379 return BAD_VALUE;
2380 }
2381
2382 // If shrinking, first adjust for any objects that appear
2383 // after the new data size.
2384 size_t objectsSize = mObjectsSize;
2385 if (desired < mDataSize) {
2386 if (desired == 0) {
2387 objectsSize = 0;
2388 } else {
2389 while (objectsSize > 0) {
2390 if (mObjects[objectsSize-1] < desired)
2391 break;
2392 objectsSize--;
2393 }
2394 }
2395 }
2396
2397 if (mOwner) {
2398 // If the size is going to zero, just release the owner's data.
2399 if (desired == 0) {
2400 freeData();
2401 return NO_ERROR;
2402 }
2403
2404 // If there is a different owner, we need to take
2405 // posession.
2406 uint8_t* data = (uint8_t*)malloc(desired);
2407 if (!data) {
2408 mError = NO_MEMORY;
2409 return NO_MEMORY;
2410 }
2411 binder_size_t* objects = NULL;
2412
2413 if (objectsSize) {
2414 objects = (binder_size_t*)calloc(objectsSize, sizeof(binder_size_t));
2415 if (!objects) {
2416 free(data);
2417
2418 mError = NO_MEMORY;
2419 return NO_MEMORY;
2420 }
2421
2422 // Little hack to only acquire references on objects
2423 // we will be keeping.
2424 size_t oldObjectsSize = mObjectsSize;
2425 mObjectsSize = objectsSize;
2426 acquireObjects();
2427 mObjectsSize = oldObjectsSize;
2428 }
2429
2430 if (mData) {
2431 memcpy(data, mData, mDataSize < desired ? mDataSize : desired);
2432 }
2433 if (objects && mObjects) {
2434 memcpy(objects, mObjects, objectsSize*sizeof(binder_size_t));
2435 }
2436 //ALOGI("Freeing data ref of %p (pid=%d)", this, getpid());
2437 mOwner(this, mData, mDataSize, mObjects, mObjectsSize, mOwnerCookie);
2438 mOwner = NULL;
2439
2440 LOG_ALLOC("Parcel %p: taking ownership of %zu capacity", this, desired);
2441 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
2442 gParcelGlobalAllocSize += desired;
2443 gParcelGlobalAllocCount++;
2444 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
2445
2446 mData = data;
2447 mObjects = objects;
2448 mDataSize = (mDataSize < desired) ? mDataSize : desired;
2449 ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
2450 mDataCapacity = desired;
2451 mObjectsSize = mObjectsCapacity = objectsSize;
2452 mNextObjectHint = 0;
2453
2454 } else if (mData) {
2455 if (objectsSize < mObjectsSize) {
2456 // Need to release refs on any objects we are dropping.
2457 const sp<ProcessState> proc(ProcessState::self());
2458 for (size_t i=objectsSize; i<mObjectsSize; i++) {
2459 const flat_binder_object* flat
2460 = reinterpret_cast<flat_binder_object*>(mData+mObjects[i]);
2461 if (flat->type == BINDER_TYPE_FD) {
2462 // will need to rescan because we may have lopped off the only FDs
2463 mFdsKnown = false;
2464 }
2465 release_object(proc, *flat, this, &mOpenAshmemSize);
2466 }
2467 binder_size_t* objects =
2468 (binder_size_t*)realloc(mObjects, objectsSize*sizeof(binder_size_t));
2469 if (objects) {
2470 mObjects = objects;
2471 }
2472 mObjectsSize = objectsSize;
2473 mNextObjectHint = 0;
2474 }
2475
2476 // We own the data, so we can just do a realloc().
2477 if (desired > mDataCapacity) {
2478 uint8_t* data = (uint8_t*)realloc(mData, desired);
2479 if (data) {
2480 LOG_ALLOC("Parcel %p: continue from %zu to %zu capacity", this, mDataCapacity,
2481 desired);
2482 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
2483 gParcelGlobalAllocSize += desired;
2484 gParcelGlobalAllocSize -= mDataCapacity;
2485 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
2486 mData = data;
2487 mDataCapacity = desired;
2488 } else if (desired > mDataCapacity) {
2489 mError = NO_MEMORY;
2490 return NO_MEMORY;
2491 }
2492 } else {
2493 if (mDataSize > desired) {
2494 mDataSize = desired;
2495 ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
2496 }
2497 if (mDataPos > desired) {
2498 mDataPos = desired;
2499 ALOGV("continueWrite Setting data pos of %p to %zu", this, mDataPos);
2500 }
2501 }
2502
2503 } else {
2504 // This is the first data. Easy!
2505 uint8_t* data = (uint8_t*)malloc(desired);
2506 if (!data) {
2507 mError = NO_MEMORY;
2508 return NO_MEMORY;
2509 }
2510
2511 if(!(mDataCapacity == 0 && mObjects == NULL
2512 && mObjectsCapacity == 0)) {
2513 ALOGE("continueWrite: %zu/%p/%zu/%zu", mDataCapacity, mObjects, mObjectsCapacity, desired);
2514 }
2515
2516 LOG_ALLOC("Parcel %p: allocating with %zu capacity", this, desired);
2517 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
2518 gParcelGlobalAllocSize += desired;
2519 gParcelGlobalAllocCount++;
2520 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
2521
2522 mData = data;
2523 mDataSize = mDataPos = 0;
2524 ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
2525 ALOGV("continueWrite Setting data pos of %p to %zu", this, mDataPos);
2526 mDataCapacity = desired;
2527 }
2528
2529 return NO_ERROR;
2530 }
2531
initState()2532 void Parcel::initState()
2533 {
2534 LOG_ALLOC("Parcel %p: initState", this);
2535 mError = NO_ERROR;
2536 mData = 0;
2537 mDataSize = 0;
2538 mDataCapacity = 0;
2539 mDataPos = 0;
2540 ALOGV("initState Setting data size of %p to %zu", this, mDataSize);
2541 ALOGV("initState Setting data pos of %p to %zu", this, mDataPos);
2542 mObjects = NULL;
2543 mObjectsSize = 0;
2544 mObjectsCapacity = 0;
2545 mNextObjectHint = 0;
2546 mHasFds = false;
2547 mFdsKnown = true;
2548 mAllowFds = true;
2549 mOwner = NULL;
2550 mOpenAshmemSize = 0;
2551
2552 // racing multiple init leads only to multiple identical write
2553 if (gMaxFds == 0) {
2554 struct rlimit result;
2555 if (!getrlimit(RLIMIT_NOFILE, &result)) {
2556 gMaxFds = (size_t)result.rlim_cur;
2557 //ALOGI("parcel fd limit set to %zu", gMaxFds);
2558 } else {
2559 ALOGW("Unable to getrlimit: %s", strerror(errno));
2560 gMaxFds = 1024;
2561 }
2562 }
2563 }
2564
scanForFds() const2565 void Parcel::scanForFds() const
2566 {
2567 bool hasFds = false;
2568 for (size_t i=0; i<mObjectsSize; i++) {
2569 const flat_binder_object* flat
2570 = reinterpret_cast<const flat_binder_object*>(mData + mObjects[i]);
2571 if (flat->type == BINDER_TYPE_FD) {
2572 hasFds = true;
2573 break;
2574 }
2575 }
2576 mHasFds = hasFds;
2577 mFdsKnown = true;
2578 }
2579
getBlobAshmemSize() const2580 size_t Parcel::getBlobAshmemSize() const
2581 {
2582 // This used to return the size of all blobs that were written to ashmem, now we're returning
2583 // the ashmem currently referenced by this Parcel, which should be equivalent.
2584 // TODO: Remove method once ABI can be changed.
2585 return mOpenAshmemSize;
2586 }
2587
getOpenAshmemSize() const2588 size_t Parcel::getOpenAshmemSize() const
2589 {
2590 return mOpenAshmemSize;
2591 }
2592
2593 // --- Parcel::Blob ---
2594
Blob()2595 Parcel::Blob::Blob() :
2596 mFd(-1), mData(NULL), mSize(0), mMutable(false) {
2597 }
2598
~Blob()2599 Parcel::Blob::~Blob() {
2600 release();
2601 }
2602
release()2603 void Parcel::Blob::release() {
2604 if (mFd != -1 && mData) {
2605 ::munmap(mData, mSize);
2606 }
2607 clear();
2608 }
2609
init(int fd,void * data,size_t size,bool isMutable)2610 void Parcel::Blob::init(int fd, void* data, size_t size, bool isMutable) {
2611 mFd = fd;
2612 mData = data;
2613 mSize = size;
2614 mMutable = isMutable;
2615 }
2616
clear()2617 void Parcel::Blob::clear() {
2618 mFd = -1;
2619 mData = NULL;
2620 mSize = 0;
2621 mMutable = false;
2622 }
2623
2624 }; // namespace android
2625