mojo/edk/system/channel_win.cc - Issue 1985523002: [mojo-edk] Better validation of untrusted message data

Side by Side Diff: mojo/edk/system/channel_win.cc

Issue 1985523002: [mojo-edk] Better validation of untrusted message data (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "mojo/edk/system/channel.h"	5 #include "mojo/edk/system/channel.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8 #include <windows.h>	8 #include <windows.h>

9	9

10 #include <algorithm>	10 #include <algorithm>

(...skipping 96 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
107 reject_writes_ = write_error = true;	107 reject_writes_ = write_error = true;

108 }	108 }

109 if (write_error) {	109 if (write_error) {

110 // Do not synchronously invoke OnError(). Write() may have been called by	110 // Do not synchronously invoke OnError(). Write() may have been called by

111 // the delegate and we don't want to re-enter it.	111 // the delegate and we don't want to re-enter it.

112 io_task_runner_->PostTask(FROM_HERE,	112 io_task_runner_->PostTask(FROM_HERE,

113 base::Bind(&ChannelWin::OnError, this));	113 base::Bind(&ChannelWin::OnError, this));

114 }	114 }

115 }	115 }

116	116

117 ScopedPlatformHandleVectorPtr GetReadPlatformHandles(	117 bool GetReadPlatformHandles(

118 size_t num_handles,	118 size_t num_handles,

119 const void* extra_header,	119 const void* extra_header,

120 size_t extra_header_size) override {	120 size_t extra_header_size,

	121 ScopedPlatformHandleVectorPtr* handles) override {

121 size_t handles_size = sizeof(PlatformHandle) * num_handles;	122 size_t handles_size = sizeof(PlatformHandle) * num_handles;
	Oliver Chang 2016/05/16 17:11:34 \|num_handles\| here is a size_t, which means that i \|num_handles\| here is a size_t, which means that it's possible for this calculation to overflow (similar in channel_posix.cc). It seems that mojo::edk::Channel::Message::Header::num_handles is uint16_t, but could we still get a sanity check for num_handles <= numeric_limits<uint16_t>::max()? Ken Rockot(use gerrit already) 2016/05/16 17:15:32 Done Show quoted text On 2016/05/16 at 17:11:34, Oliver Chang wrote: > \|num_handles\| here is a size_t, which means that it's possible for this calculation to overflow (similar in channel_posix.cc). > > It seems that mojo::edk::Channel::Message::Header::num_handles is uint16_t, but could we still get a sanity check for num_handles <= numeric_limits<uint16_t>::max()? Done
122 if (handles_size > extra_header_size)	123 if (handles_size > extra_header_size)

123 return nullptr;	124 return false;

124	125 DCHECK(extra_header);

125 ScopedPlatformHandleVectorPtr handles(	126 handles->reset(new PlatformHandleVector(num_handles));

126 new PlatformHandleVector(num_handles));	127 memcpy((*handles)->data(), extra_header, handles_size);

127 memcpy(handles->data(), extra_header, handles_size);	128 return true;

128 return handles;

129 }	129 }

130	130

131 private:	131 private:

132 // May run on any thread.	132 // May run on any thread.

133 ~ChannelWin() override {	133 ~ChannelWin() override {

134 // This is intentionally not 0. If another object is constructed on top of	134 // This is intentionally not 0. If another object is constructed on top of

135 // this memory, it is likely to initialise values to 0. Using a non-zero	135 // this memory, it is likely to initialise values to 0. Using a non-zero

136 // value lets us detect the difference between just destroying, and	136 // value lets us detect the difference between just destroying, and

137 // re-allocating the memory.	137 // re-allocating the memory.

138 sentinel_ = UINTPTR_MAX;	138 sentinel_ = UINTPTR_MAX;

(...skipping 173 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
312 // static	312 // static

313 scoped_refptr<Channel> Channel::Create(	313 scoped_refptr<Channel> Channel::Create(

314 Delegate* delegate,	314 Delegate* delegate,

315 ScopedPlatformHandle platform_handle,	315 ScopedPlatformHandle platform_handle,

316 scoped_refptr<base::TaskRunner> io_task_runner) {	316 scoped_refptr<base::TaskRunner> io_task_runner) {

317 return new ChannelWin(delegate, std::move(platform_handle), io_task_runner);	317 return new ChannelWin(delegate, std::move(platform_handle), io_task_runner);

318 }	318 }

319	319

320 } // namespace edk	320 } // namespace edk

321 } // namespace mojo	321 } // namespace mojo

OLD	NEW

« no previous file with comments | « mojo/edk/system/channel_posix.cc ('k') | no next file » | no next file with comments »