RDH: Block a compromised renderer from reusing request ids

content/browser/loader/resource_dispatcher_host_impl.cc

Index: content/browser/loader/resource_dispatcher_host_impl.cc
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index d671e2b715abefdc166efd1417e480ffc84f137b..12a7f29ee7552568681b1cee694e371e25b2db80 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -1170,6 +1170,23 @@ void ResourceDispatcherHostImpl::OnSyncLoad(
                sync_result->routing_id());
 }
 
+bool ResourceDispatcherHostImpl::IsRequestIDInUse(
+    const GlobalRequestID& id) const {
+  if (pending_loaders_.find(id) != pending_loaders_.end())
+    return true;
+  for (BlockedLoadersMap::const_iterator iter = blocked_loaders_map_.begin();

[Charlie Reis, 2016/01/28 22:05:16]

nit: Maybe use C++11 range-based for loop here, similar to
ResourceDispatcherHostImpl::OnShutdown?  Would be a little more concise.

(For reference, the allowed C++11 uses are here:
https://chromium-cpp.appspot.com/.)

[gzobqq, 2016/01/30 07:18:57]

Done.

+       iter != blocked_loaders_map_.end(); ++iter) {
+    BlockedLoadersList* loaders = iter->second;
+    for (BlockedLoadersList::const_iterator loaders_iter = loaders->begin();
+         loaders_iter != loaders->end(); ++loaders_iter) {
+      ResourceRequestInfoImpl* info = (*loaders_iter)->GetRequestInfo();
+      if (info->GetGlobalRequestID() == id)
+        return true;
+    }
+  }
+  return false;
+}
+
 void ResourceDispatcherHostImpl::UpdateRequestForTransfer(
     int child_id,
     int route_id,
@@ -1254,6 +1271,14 @@ void ResourceDispatcherHostImpl::BeginRequest(
   int process_type = filter_->process_type();
   int child_id = filter_->child_id();
 
+  // Reject request id that's currently in use.
+  if (IsRequestIDInUse(GlobalRequestID(child_id, request_id))) {
+    bad_message::ReceivedBadMessage(
+        filter_,
+        bad_message::RDH_INVALID_REQUEST_ID);
+    return;
+  }
+
   // PlzNavigate: reject invalid renderer main resource request.
   if (IsBrowserSideNavigationEnabled() &&
       IsResourceTypeFrame(request_data.resource_type) &&