commit abaa0ed9ed2fb2f69220fd50737aff56205012d6
author Paul Jensen <pauljensen@google.com> Fri May 16 14:31:12 2014 -0400
committer Paul Jensen <pauljensen@google.com> Thu Jun 26 18:07:12 2014 +0000
tree a7935f3505253e87264b7f5d21a88e4eb310f8a7
parent e25e76c30081910d957aa1cbdd97eb24eefd5ebc

Enforce ConnectivityManager.releaseNetworkRequest callers own the NetworkRequest

Enforce that callers of ConnectivityManager.releaseNetworkRequest() are the
creators of the NetworkRequest being released by matching UIDs.

Change-Id: I439468c054bacc035e2db2c4967b24d183e78e9c

services/core/java/com/android/server/ConnectivityService.java

diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index dc6b6c7..19fff55 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -409,7 +409,8 @@
 
     /**
      * used to remove a network request, either a listener or a real request
-     * includes a NetworkRequest
+     * arg1 = UID of caller
+     * obj  = NetworkRequest
      */
     private static final int EVENT_RELEASE_NETWORK_REQUEST = 22;
 
@@ -3333,10 +3334,15 @@
         }
     }
 
-    private void handleReleaseNetworkRequest(NetworkRequest request) {
-        if (DBG) log("releasing NetworkRequest " + request);
-        NetworkRequestInfo nri = mNetworkRequests.remove(request);
+    private void handleReleaseNetworkRequest(NetworkRequest request, int callingUid) {
+        NetworkRequestInfo nri = mNetworkRequests.get(request);
         if (nri != null) {
+            if (nri.mUid != callingUid) {
+                if (DBG) log("Attempt to release unowned NetworkRequest " + request);
+                return;
+            }
+            if (DBG) log("releasing NetworkRequest " + request);
+            mNetworkRequests.remove(request);
             // tell the network currently servicing this that it's no longer interested
             NetworkAgentInfo affectedNetwork = mNetworkForRequestId.get(nri.request.requestId);
             if (affectedNetwork != null) {
@@ -3482,7 +3488,7 @@
                     break;
                 }
                 case EVENT_RELEASE_NETWORK_REQUEST: {
-                    handleReleaseNetworkRequest((NetworkRequest) msg.obj);
+                    handleReleaseNetworkRequest((NetworkRequest) msg.obj, msg.arg1);
                     break;
                 }
             }
@@ -5460,8 +5466,8 @@
 
     @Override
     public void releaseNetworkRequest(NetworkRequest networkRequest) {
-        mHandler.sendMessage(mHandler.obtainMessage(EVENT_RELEASE_NETWORK_REQUEST,
-                networkRequest));
+        mHandler.sendMessage(mHandler.obtainMessage(EVENT_RELEASE_NETWORK_REQUEST, getCallingUid(),
+                0, networkRequest));
     }
 
     @Override