| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "mojo/edk/system/message_pipe_dispatcher.h" | 5 #include "mojo/edk/system/message_pipe_dispatcher.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/debug/stack_trace.h" | 8 #include "base/debug/stack_trace.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/message_loop/message_loop.h" | 10 #include "base/message_loop/message_loop.h" |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 186 void MessagePipeDispatcher::GotNonTransferableChannel(RawChannel* channel) { | 186 void MessagePipeDispatcher::GotNonTransferableChannel(RawChannel* channel) { |
| 187 base::AutoLock locker(lock()); | 187 base::AutoLock locker(lock()); |
| 188 channel_ = channel; | 188 channel_ = channel; |
| 189 while (!non_transferable_outgoing_message_queue_.IsEmpty()) { | 189 while (!non_transferable_outgoing_message_queue_.IsEmpty()) { |
| 190 channel_->WriteMessage( | 190 channel_->WriteMessage( |
| 191 non_transferable_outgoing_message_queue_.GetMessage()); | 191 non_transferable_outgoing_message_queue_.GetMessage()); |
| 192 } | 192 } |
| 193 | 193 |
| 194 if (non_transferable_state_ == WAITING_FOR_CONNECT_TO_CLOSE) { | 194 if (non_transferable_state_ == WAITING_FOR_CONNECT_TO_CLOSE) { |
| 195 // We kept this object alive until it's connected, we can release it now. | 195 // We kept this object alive until it's connected, we can release it now. |
| 196 // Since we're in a callback from the Broker, call it asynchronously. | 196 internal::g_broker->CloseMessagePipe(pipe_id_, this); |
| 197 internal::g_io_thread_task_runner->PostTask( | |
| 198 FROM_HERE, | |
| 199 base::Bind(&Broker::CloseMessagePipe, | |
| 200 base::Unretained(internal::g_broker), pipe_id_, | |
| 201 base::Unretained(this))); | |
| 202 non_transferable_state_ = CLOSED; | 197 non_transferable_state_ = CLOSED; |
| 203 channel_ = nullptr; | 198 channel_ = nullptr; |
| 204 base::MessageLoop::current()->ReleaseSoon(FROM_HERE, this); | 199 base::MessageLoop::current()->ReleaseSoon(FROM_HERE, this); |
| 205 } else { | 200 } else { |
| 206 non_transferable_state_ = CONNECTED; | 201 non_transferable_state_ = CONNECTED; |
| 207 } | 202 } |
| 208 } | 203 } |
| 209 | 204 |
| 210 #if defined(OS_WIN) | 205 #if defined(OS_WIN) |
| 211 // TODO(jam): this is copied from RawChannelWin till I figure out what's the | 206 // TODO(jam): this is copied from RawChannelWin till I figure out what's the |
| (...skipping 705 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 917 base::AutoLock locker(lock()); | 912 base::AutoLock locker(lock()); |
| 918 // We can get two OnError callbacks before the post task below completes. | 913 // We can get two OnError callbacks before the post task below completes. |
| 919 // Although RawChannel still has a pointer to this object until Shutdown is | 914 // Although RawChannel still has a pointer to this object until Shutdown is |
| 920 // called, that is safe since this class always does a PostTask to the IO | 915 // called, that is safe since this class always does a PostTask to the IO |
| 921 // thread to self destruct. | 916 // thread to self destruct. |
| 922 if (channel_ && error != ERROR_WRITE) { | 917 if (channel_ && error != ERROR_WRITE) { |
| 923 if (transferable_) { | 918 if (transferable_) { |
| 924 channel_->Shutdown(); | 919 channel_->Shutdown(); |
| 925 } else { | 920 } else { |
| 926 CHECK_NE(non_transferable_state_, CLOSED); | 921 CHECK_NE(non_transferable_state_, CLOSED); |
| 927 // Since we're in a callback from the Broker, call it asynchronously. | 922 internal::g_broker->CloseMessagePipe(pipe_id_, this); |
| 928 internal::g_io_thread_task_runner->PostTask( | |
| 929 FROM_HERE, | |
| 930 base::Bind(&Broker::CloseMessagePipe, | |
| 931 base::Unretained(internal::g_broker), pipe_id_, | |
| 932 base::Unretained(this))); | |
| 933 non_transferable_state_ = CLOSED; | 923 non_transferable_state_ = CLOSED; |
| 934 } | 924 } |
| 935 channel_ = nullptr; | 925 channel_ = nullptr; |
| 936 } | 926 } |
| 937 awakable_list_.AwakeForStateChange(GetHandleSignalsStateImplNoLock()); | 927 awakable_list_.AwakeForStateChange(GetHandleSignalsStateImplNoLock()); |
| 938 started_transport_.Release(); | 928 started_transport_.Release(); |
| 939 } else { | 929 } else { |
| 940 // We must be waiting to call ReleaseHandle. It will call Shutdown. | 930 // We must be waiting to call ReleaseHandle. It will call Shutdown. |
| 941 } | 931 } |
| 942 } | 932 } |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1000 // PostTask since the broker can call us back synchronously. | 990 // PostTask since the broker can call us back synchronously. |
| 1001 internal::g_io_thread_task_runner->PostTask( | 991 internal::g_io_thread_task_runner->PostTask( |
| 1002 FROM_HERE, | 992 FROM_HERE, |
| 1003 base::Bind(&Broker::ConnectMessagePipe, | 993 base::Bind(&Broker::ConnectMessagePipe, |
| 1004 base::Unretained(internal::g_broker), pipe_id_, | 994 base::Unretained(internal::g_broker), pipe_id_, |
| 1005 base::Unretained(this))); | 995 base::Unretained(this))); |
| 1006 } | 996 } |
| 1007 | 997 |
| 1008 } // namespace edk | 998 } // namespace edk |
| 1009 } // namespace mojo | 999 } // namespace mojo |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1537593002:
Fix UAF in new Mojo EDK. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master