RDH: Block a compromised renderer from reusing request ids

content/browser/loader/resource_dispatcher_host_impl.cc

Index: content/browser/loader/resource_dispatcher_host_impl.cc
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index 68f8fd0664762b8d3982f0e64a12a95ed66f686d..1db3d98e157c29ae3455281fdbd72dbf65d12d4a 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -1187,6 +1187,20 @@ void ResourceDispatcherHostImpl::OnSyncLoad(
                sync_result->routing_id());
 }
 
+bool ResourceDispatcherHostImpl::IsRequestIDInUse(
+    const GlobalRequestID& id) const {
+  if (pending_loaders_.find(id) != pending_loaders_.end())
+    return true;
+  for (const auto& blocked_loaders : blocked_loaders_map_) {
+    for (const auto& loader : *blocked_loaders.second.get()) {
+      ResourceRequestInfoImpl* info = loader->GetRequestInfo();
+      if (info->GetGlobalRequestID() == id)
+        return true;
+    }
+  }
+  return false;
+}
+
 void ResourceDispatcherHostImpl::UpdateRequestForTransfer(
     int child_id,
     int route_id,
@@ -1281,6 +1295,13 @@ void ResourceDispatcherHostImpl::BeginRequest(
   int process_type = filter_->process_type();
   int child_id = filter_->child_id();
 
+  // Reject request id that's currently in use.
+  if (IsRequestIDInUse(GlobalRequestID(child_id, request_id))) {
+    bad_message::ReceivedBadMessage(filter_,
+                                    bad_message::RDH_INVALID_REQUEST_ID);
+    return;
+  }
+
   // PlzNavigate: reject invalid renderer main resource request.
   if (IsBrowserSideNavigationEnabled() &&
       IsResourceTypeFrame(request_data.resource_type) &&