| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "debug.h" | 5 #include "debug.h" |
| 6 #include "sandbox_impl.h" | 6 #include "sandbox_impl.h" |
| 7 | 7 |
| 8 namespace playground { | 8 namespace playground { |
| 9 | 9 |
| 10 #if defined(__NR_socket) | 10 #if defined(__NR_socket) |
| (...skipping 270 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 281 // Read request | 281 // Read request |
| 282 struct { | 282 struct { |
| 283 SendMsg sendmsg_req; | 283 SendMsg sendmsg_req; |
| 284 struct msghdr msg; | 284 struct msghdr msg; |
| 285 } __attribute__((packed)) data; | 285 } __attribute__((packed)) data; |
| 286 SysCalls sys; | 286 SysCalls sys; |
| 287 if (read(sys, sandboxFd, &data, sizeof(data)) != sizeof(data)) { | 287 if (read(sys, sandboxFd, &data, sizeof(data)) != sizeof(data)) { |
| 288 die("Failed to read parameters for sendmsg() [process]"); | 288 die("Failed to read parameters for sendmsg() [process]"); |
| 289 } | 289 } |
| 290 | 290 |
| 291 if (data.msg.msg_namelen < 0 || data.msg.msg_namelen > 4096 || | 291 if (data.msg.msg_namelen > 4096 || data.msg.msg_controllen > 4096) { |
| 292 data.msg.msg_controllen < 0 || data.msg.msg_controllen > 4096) { | |
| 293 die("Unexpected size for socketcall() payload [process]"); | 292 die("Unexpected size for socketcall() payload [process]"); |
| 294 } | 293 } |
| 295 char extra[data.msg.msg_namelen + data.msg.msg_controllen]; | 294 char extra[data.msg.msg_namelen + data.msg.msg_controllen]; |
| 296 if (read(sys, sandboxFd, &extra, sizeof(extra)) != (ssize_t)sizeof(extra)) { | 295 if (read(sys, sandboxFd, &extra, sizeof(extra)) != (ssize_t)sizeof(extra)) { |
| 297 die("Failed to read parameters for sendmsg() [process]"); | 296 die("Failed to read parameters for sendmsg() [process]"); |
| 298 } | 297 } |
| 299 if (sizeof(struct msghdr) + sizeof(extra) > sizeof(mem->pathname)) { | 298 if (sizeof(struct msghdr) + sizeof(extra) > sizeof(mem->pathname)) { |
| 300 goto deny; | 299 goto deny; |
| 301 } | 300 } |
| 302 | 301 |
| (...skipping 457 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 760 sizeof(socklen_t)); | 759 sizeof(socklen_t)); |
| 761 } else if (socketcall_req.call == SYS_SENDMSG) { | 760 } else if (socketcall_req.call == SYS_SENDMSG) { |
| 762 numExtraData = sizeof(*socketcall_req.args.sendmsg.msg); | 761 numExtraData = sizeof(*socketcall_req.args.sendmsg.msg); |
| 763 } else if (socketcall_req.call == SYS_RECVMSG) { | 762 } else if (socketcall_req.call == SYS_RECVMSG) { |
| 764 numExtraData = sizeof(*socketcall_req.args.recvmsg.msg); | 763 numExtraData = sizeof(*socketcall_req.args.recvmsg.msg); |
| 765 } | 764 } |
| 766 | 765 |
| 767 // Verify that the length for the payload is reasonable. We don't want to | 766 // Verify that the length for the payload is reasonable. We don't want to |
| 768 // blow up our stack, and excessive (or negative) buffer sizes are almost | 767 // blow up our stack, and excessive (or negative) buffer sizes are almost |
| 769 // certainly a bug. | 768 // certainly a bug. |
| 770 if (numExtraData < 0 || numExtraData > 4096) { | 769 if (numExtraData > 4096) { |
| 771 die("Unexpected size for socketcall() payload [process]"); | 770 die("Unexpected size for socketcall() payload [process]"); |
| 772 } | 771 } |
| 773 | 772 |
| 774 // Read the extra payload, if any. | 773 // Read the extra payload, if any. |
| 775 char extra[numExtraData]; | 774 char extra[numExtraData]; |
| 776 if (numExtraData) { | 775 if (numExtraData) { |
| 777 if (read(sys, sandboxFd, extra, numExtraData) != (ssize_t)numExtraData) { | 776 if (read(sys, sandboxFd, extra, numExtraData) != (ssize_t)numExtraData) { |
| 778 die("Failed to read socketcall() payload [process]"); | 777 die("Failed to read socketcall() payload [process]"); |
| 779 } | 778 } |
| 780 } | 779 } |
| 781 | 780 |
| 782 // sendmsg() has another level of indirection and can carry even more payload | 781 // sendmsg() has another level of indirection and can carry even more payload |
| 783 ssize_t numSendmsgExtra = 0; | 782 ssize_t numSendmsgExtra = 0; |
| 784 if (socketcall_req.call == SYS_SENDMSG) { | 783 if (socketcall_req.call == SYS_SENDMSG) { |
| 785 struct msghdr* msg = reinterpret_cast<struct msghdr*>(extra); | 784 struct msghdr* msg = reinterpret_cast<struct msghdr*>(extra); |
| 786 if (msg->msg_namelen < 0 || msg->msg_namelen > 4096 || | 785 if (msg->msg_namelen > 4096 || msg->msg_controllen > 4096) { |
| 787 msg->msg_controllen < 0 || msg->msg_controllen > 4096) { | |
| 788 die("Unexpected size for socketcall() payload [process]"); | 786 die("Unexpected size for socketcall() payload [process]"); |
| 789 } | 787 } |
| 790 numSendmsgExtra = msg->msg_namelen + msg->msg_controllen; | 788 numSendmsgExtra = msg->msg_namelen + msg->msg_controllen; |
| 791 } | 789 } |
| 792 char sendmsgExtra[numSendmsgExtra]; | 790 char sendmsgExtra[numSendmsgExtra]; |
| 793 if (numSendmsgExtra) { | 791 if (numSendmsgExtra) { |
| 794 if (read(sys, sandboxFd, sendmsgExtra, numSendmsgExtra) != | 792 if (read(sys, sandboxFd, sendmsgExtra, numSendmsgExtra) != |
| 795 numSendmsgExtra) { | 793 numSendmsgExtra) { |
| 796 die("Failed to read socketcall() payload [process]"); | 794 die("Failed to read socketcall() payload [process]"); |
| 797 } | 795 } |
| (...skipping 234 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1032 default: | 1030 default: |
| 1033 deny: | 1031 deny: |
| 1034 SecureMem::abandonSystemCall(threadFd, rc); | 1032 SecureMem::abandonSystemCall(threadFd, rc); |
| 1035 return false; | 1033 return false; |
| 1036 } | 1034 } |
| 1037 } | 1035 } |
| 1038 | 1036 |
| 1039 #endif | 1037 #endif |
| 1040 | 1038 |
| 1041 } // namespace | 1039 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 597023:
linux: turn on -Wextra (Closed)
