| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/basictypes.h" |
| 5 #include "sandbox/src/crosscall_client.h" | 6 #include "sandbox/src/crosscall_client.h" |
| 6 #include "sandbox/src/crosscall_server.h" | 7 #include "sandbox/src/crosscall_server.h" |
| 7 #include "sandbox/src/sharedmem_ipc_client.h" | 8 #include "sandbox/src/sharedmem_ipc_client.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 10 |
| 10 | 11 |
| 11 namespace sandbox { | 12 namespace sandbox { |
| 12 | 13 |
| 13 // Helper function to make the fake shared memory with some | 14 // Helper function to make the fake shared memory with some |
| 14 // basic elements initialized. | 15 // basic elements initialized. |
| (...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 207 EXPECT_EQ(WCHAR_TYPE, type); | 208 EXPECT_EQ(WCHAR_TYPE, type); |
| 208 | 209 |
| 209 for (size_t ix = 0; ix != client_control->channels_count; ++ix) { | 210 for (size_t ix = 0; ix != client_control->channels_count; ++ix) { |
| 210 ChannelControl& channel = client_control->channels[ix]; | 211 ChannelControl& channel = client_control->channels[ix]; |
| 211 ::CloseHandle(channel.ping_event); | 212 ::CloseHandle(channel.ping_event); |
| 212 ::CloseHandle(channel.pong_event); | 213 ::CloseHandle(channel.pong_event); |
| 213 } | 214 } |
| 214 delete [] reinterpret_cast<char*>(client_control); | 215 delete [] reinterpret_cast<char*>(client_control); |
| 215 } | 216 } |
| 216 | 217 |
| 218 TEST(IPCTest, CrossCallValidation) { |
| 219 // First a sanity test with a well formed parameter object. |
| 220 unsigned long value = 124816; |
| 221 const uint32 kTag = 33; |
| 222 ActualCallParams<1, 128> params_1(kTag); |
| 223 params_1.CopyParamIn(0, &value, sizeof(value), false, ULONG_TYPE); |
| 224 void* buffer = const_cast<void*>(params_1.GetBuffer()); |
| 225 |
| 226 size_t out_size = 0; |
| 227 CrossCallParamsEx* ccp = 0; |
| 228 ccp = CrossCallParamsEx::CreateFromBuffer(buffer, params_1.GetSize(), |
| 229 &out_size); |
| 230 ASSERT_TRUE(NULL != ccp); |
| 231 EXPECT_TRUE(ccp->GetBuffer() != buffer); |
| 232 EXPECT_EQ(kTag, ccp->GetTag()); |
| 233 EXPECT_EQ(1, ccp->GetParamsCount()); |
| 234 delete[] (reinterpret_cast<char*>(ccp)); |
| 235 |
| 236 #if defined(NDEBUG) |
| 237 // Test hat we handle integer overflow on the number of params |
| 238 // correctly. We use a test-only ctor for ActualCallParams that |
| 239 // allows to create malformed cross-call buffers. |
| 240 const int32 kPtrDiffSz = sizeof(ptrdiff_t); |
| 241 for (int32 ix = -1; ix != 3; ++ix) { |
| 242 uint32 fake_num_params = (kuint32max / kPtrDiffSz) + ix; |
| 243 ActualCallParams<1, 128> params_2(kTag, fake_num_params); |
| 244 params_2.CopyParamIn(0, &value, sizeof(value), false, ULONG_TYPE); |
| 245 buffer = const_cast<void*>(params_2.GetBuffer()); |
| 246 |
| 247 EXPECT_TRUE(NULL != buffer); |
| 248 ccp = CrossCallParamsEx::CreateFromBuffer(buffer, params_2.GetSize(), |
| 249 &out_size); |
| 250 // If the buffer is malformed the return is NULL. |
| 251 EXPECT_TRUE(NULL == ccp); |
| 252 } |
| 253 #endif // defined(NDEBUG) |
| 254 } |
| 255 |
| 217 // This structure is passed to the mock server threads to simulate | 256 // This structure is passed to the mock server threads to simulate |
| 218 // the server side IPC so it has the required kernel objects. | 257 // the server side IPC so it has the required kernel objects. |
| 219 struct ServerEvents { | 258 struct ServerEvents { |
| 220 HANDLE ping; | 259 HANDLE ping; |
| 221 HANDLE pong; | 260 HANDLE pong; |
| 222 volatile LONG* state; | 261 volatile LONG* state; |
| 223 HANDLE mutex; | 262 HANDLE mutex; |
| 224 }; | 263 }; |
| 225 | 264 |
| 226 // This is the server thread that quicky answers an IPC and exits. | 265 // This is the server thread that quicky answers an IPC and exits. |
| (...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 420 for (size_t ix = 0; ix != client_control->channels_count; ++ix) { | 459 for (size_t ix = 0; ix != client_control->channels_count; ++ix) { |
| 421 ChannelControl& channel = client_control->channels[ix]; | 460 ChannelControl& channel = client_control->channels[ix]; |
| 422 ::CloseHandle(channel.ping_event); | 461 ::CloseHandle(channel.ping_event); |
| 423 ::CloseHandle(channel.pong_event); | 462 ::CloseHandle(channel.pong_event); |
| 424 } | 463 } |
| 425 ::CloseHandle(client_control->server_alive); | 464 ::CloseHandle(client_control->server_alive); |
| 426 delete [] reinterpret_cast<char*>(client_control); | 465 delete [] reinterpret_cast<char*>(client_control); |
| 427 } | 466 } |
| 428 | 467 |
| 429 } // namespace sandbox | 468 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 555093:
Merge 36923 - Fix integer overflow in sbox... (Closed)
Base URL: svn://svn.chromium.org/chrome/branches/249s/src/