| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "mojo/edk/system/child_broker.h" | 5 #include "mojo/edk/system/child_broker.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/logging.h" | 8 #include "base/logging.h" |
| 9 #include "mojo/edk/embedder/embedder_internal.h" | 9 #include "mojo/edk/embedder/embedder_internal.h" |
| 10 #include "mojo/edk/embedder/platform_channel_pair.h" | 10 #include "mojo/edk/embedder/platform_channel_pair.h" |
| (...skipping 254 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 265 | 265 |
| 266 void ChildBroker::AttachMessagePipe(MessagePipeDispatcher* message_pipe, | 266 void ChildBroker::AttachMessagePipe(MessagePipeDispatcher* message_pipe, |
| 267 uint64_t pipe_id, | 267 uint64_t pipe_id, |
| 268 RoutedRawChannel* raw_channel) { | 268 RoutedRawChannel* raw_channel) { |
| 269 connected_pipes_[message_pipe] = raw_channel; | 269 connected_pipes_[message_pipe] = raw_channel; |
| 270 // Note: we must call GotNonTransferableChannel before AddRoute because there | 270 // Note: we must call GotNonTransferableChannel before AddRoute because there |
| 271 // could be race conditions if the pipe got queued messages in |AddRoute| but | 271 // could be race conditions if the pipe got queued messages in |AddRoute| but |
| 272 // then when it's read it returns no messages because it doesn't have the | 272 // then when it's read it returns no messages because it doesn't have the |
| 273 // channel yet. | 273 // channel yet. |
| 274 message_pipe->GotNonTransferableChannel(raw_channel->channel()); | 274 message_pipe->GotNonTransferableChannel(raw_channel->channel()); |
| 275 raw_channel->AddRoute(pipe_id, message_pipe); | 275 // The above call could have caused |CloseMessagePipe| to be called. |
| 276 if (connected_pipes_.find(message_pipe) != connected_pipes_.end()) |
| 277 raw_channel->AddRoute(pipe_id, message_pipe); |
| 276 } | 278 } |
| 277 | 279 |
| 278 #if defined(OS_WIN) | 280 #if defined(OS_WIN) |
| 279 | 281 |
| 280 bool ChildBroker::WriteAndReadResponse(BrokerMessage* message, | 282 bool ChildBroker::WriteAndReadResponse(BrokerMessage* message, |
| 281 void* response, | 283 void* response, |
| 282 uint32_t response_size) { | 284 uint32_t response_size) { |
| 283 CHECK(parent_sync_channel_.is_valid()); | 285 CHECK(parent_sync_channel_.is_valid()); |
| 284 | 286 |
| 285 bool result = true; | 287 bool result = true; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 320 if (WriteAndReadResponse(&message, handles, response_size)) { | 322 if (WriteAndReadResponse(&message, handles, response_size)) { |
| 321 server->reset(PlatformHandle(handles[0])); | 323 server->reset(PlatformHandle(handles[0])); |
| 322 client->reset(PlatformHandle(handles[1])); | 324 client->reset(PlatformHandle(handles[1])); |
| 323 } | 325 } |
| 324 } | 326 } |
| 325 | 327 |
| 326 #endif | 328 #endif |
| 327 | 329 |
| 328 } // namespace edk | 330 } // namespace edk |
| 329 } // namespace mojo | 331 } // namespace mojo |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1537593002:
Fix UAF in new Mojo EDK. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master