Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(148)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/system/broker_state.cc

Issue 1537593002: Fix UAF in new Mojo EDK. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: improve comment Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « mojo/edk/system/broker.h ('k') | mojo/edk/system/child_broker.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/broker_state.h" 5 #include "mojo/edk/system/broker_state.h"
6 6
7 #include "base/bind.h" 7 #include "base/bind.h"
8 #include "base/rand_util.h" 8 #include "base/rand_util.h"
9 #include "mojo/edk/embedder/embedder_internal.h" 9 #include "mojo/edk/embedder/embedder_internal.h"
10 #include "mojo/edk/embedder/platform_channel_pair.h" 10 #include "mojo/edk/embedder/platform_channel_pair.h"
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after
95 pending_child_connects_.erase(pipe_id); 95 pending_child_connects_.erase(pipe_id);
96 return; 96 return;
97 } 97 }
98 98
99 pending_connects_[pipe_id] = message_pipe; 99 pending_connects_[pipe_id] = message_pipe;
100 } 100 }
101 101
102 void BrokerState::CloseMessagePipe(uint64_t pipe_id, 102 void BrokerState::CloseMessagePipe(uint64_t pipe_id,
103 MessagePipeDispatcher* message_pipe) { 103 MessagePipeDispatcher* message_pipe) {
104 DCHECK(internal::g_io_thread_task_runner->RunsTasksOnCurrentThread()); 104 DCHECK(internal::g_io_thread_task_runner->RunsTasksOnCurrentThread());
105 base::AutoLock auto_lock(lock_);
106 105
107 CHECK(connected_pipes_.find(message_pipe) != connected_pipes_.end()); 106 CHECK(connected_pipes_.find(message_pipe) != connected_pipes_.end());
108 connected_pipes_[message_pipe]->RemoveRoute(pipe_id); 107 connected_pipes_[message_pipe]->RemoveRoute(pipe_id);
109 connected_pipes_.erase(message_pipe); 108 connected_pipes_.erase(message_pipe);
110 } 109 }
111 110
112 void BrokerState::ChildBrokerHostCreated(ChildBrokerHost* child_broker_host) { 111 void BrokerState::ChildBrokerHostCreated(ChildBrokerHost* child_broker_host) {
113 base::AutoLock auto_lock(lock_); 112 base::AutoLock auto_lock(lock_);
114 CHECK(child_processes_.find(child_broker_host->GetProcessId()) == 113 CHECK(child_processes_.find(child_broker_host->GetProcessId()) ==
115 child_processes_.end()); 114 child_processes_.end());
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
228 227
229 void BrokerState::AttachMessagePipe(MessagePipeDispatcher* message_pipe, 228 void BrokerState::AttachMessagePipe(MessagePipeDispatcher* message_pipe,
230 uint64_t pipe_id, 229 uint64_t pipe_id,
231 RoutedRawChannel* raw_channel) { 230 RoutedRawChannel* raw_channel) {
232 connected_pipes_[message_pipe] = raw_channel; 231 connected_pipes_[message_pipe] = raw_channel;
233 // Note: we must call GotNonTransferableChannel before AddRoute because there 232 // Note: we must call GotNonTransferableChannel before AddRoute because there
234 // could be race conditions if the pipe got queued messages in |AddRoute| but 233 // could be race conditions if the pipe got queued messages in |AddRoute| but
235 // then when it's read it returns no messages because it doesn't have the 234 // then when it's read it returns no messages because it doesn't have the
236 // channel yet. 235 // channel yet.
237 message_pipe->GotNonTransferableChannel(raw_channel->channel()); 236 message_pipe->GotNonTransferableChannel(raw_channel->channel());
238 raw_channel->AddRoute(pipe_id, message_pipe); 237 // The above call could have caused |CloseMessagePipe| to be called.
238 if (connected_pipes_.find(message_pipe) != connected_pipes_.end())
239 raw_channel->AddRoute(pipe_id, message_pipe);
239 } 240 }
240 241
241 } // namespace edk 242 } // namespace edk
242 } // namespace mojo 243 } // namespace mojo
OLDNEW
« no previous file with comments | « mojo/edk/system/broker.h ('k') | mojo/edk/system/child_broker.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698