| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "mojo/edk/system/channel.h" | 5 #include "mojo/edk/system/channel.h" |
| 6 | 6 |
| 7 #include <string.h> | 7 #include <string.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <limits> | 10 #include <limits> |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 149 << " > " << max_handles; | 149 << " > " << max_handles; |
| 150 return nullptr; | 150 return nullptr; |
| 151 } | 151 } |
| 152 | 152 |
| 153 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes, | 153 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes, |
| 154 max_handles)); | 154 max_handles)); |
| 155 DCHECK_EQ(message->data_num_bytes(), data_num_bytes); | 155 DCHECK_EQ(message->data_num_bytes(), data_num_bytes); |
| 156 DCHECK_EQ(message->extra_header_size(), extra_header_size); | 156 DCHECK_EQ(message->extra_header_size(), extra_header_size); |
| 157 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes); | 157 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes); |
| 158 | 158 |
| 159 // Copy all payload bytes. | 159 if (data_num_bytes > header->num_header_bytes) { |
| 160 memcpy(message->mutable_payload(), | 160 // Copy all payload bytes. |
| 161 static_cast<const char*>(data) + header->num_header_bytes, | 161 memcpy(message->mutable_payload(), |
| 162 data_num_bytes - header->num_header_bytes); | 162 static_cast<const char*>(data) + header->num_header_bytes, |
| 163 // Copy extra header bytes. | 163 data_num_bytes - header->num_header_bytes); |
| 164 memcpy(message->mutable_extra_header(), | 164 } |
| 165 static_cast<const char*>(data) + sizeof(Header), | 165 |
| 166 message->extra_header_size()); | 166 if (message->extra_header_size()) { |
| 167 // Copy extra header bytes. |
| 168 memcpy(message->mutable_extra_header(), |
| 169 static_cast<const char*>(data) + sizeof(Header), |
| 170 message->extra_header_size()); |
| 171 } |
| 172 |
| 167 message->header_->num_handles = header->num_handles; | 173 message->header_->num_handles = header->num_handles; |
| 168 | 174 |
| 169 return message; | 175 return message; |
| 170 #endif | 176 #endif |
| 171 } | 177 } |
| 172 | 178 |
| 173 size_t Channel::Message::payload_size() const { | 179 size_t Channel::Message::payload_size() const { |
| 174 #if defined(OS_CHROMEOS) || defined(OS_ANDROID) | 180 #if defined(OS_CHROMEOS) || defined(OS_ANDROID) |
| 175 return header_->num_bytes - sizeof(Header); | 181 return header_->num_bytes - sizeof(Header); |
| 176 #else | 182 #else |
| (...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 478 return true; | 484 return true; |
| 479 } | 485 } |
| 480 | 486 |
| 481 #if defined(OS_CHROMEOS) || defined(OS_ANDROID) | 487 #if defined(OS_CHROMEOS) || defined(OS_ANDROID) |
| 482 size_t extra_header_size = 0; | 488 size_t extra_header_size = 0; |
| 483 const void* extra_header = nullptr; | 489 const void* extra_header = nullptr; |
| 484 size_t payload_size = header->num_bytes - sizeof(Message::Header); | 490 size_t payload_size = header->num_bytes - sizeof(Message::Header); |
| 485 void* payload = payload_size ? const_cast<Message::Header*>(&header[1]) | 491 void* payload = payload_size ? const_cast<Message::Header*>(&header[1]) |
| 486 : nullptr; | 492 : nullptr; |
| 487 #else | 493 #else |
| 494 if (header->num_header_bytes < sizeof(Message::Header) || |
| 495 header->num_header_bytes > header->num_bytes) { |
| 496 LOG(ERROR) << "Invalid message header size: " << header->num_header_bytes; |
| 497 return false; |
| 498 } |
| 488 size_t extra_header_size = | 499 size_t extra_header_size = |
| 489 header->num_header_bytes - sizeof(Message::Header); | 500 header->num_header_bytes - sizeof(Message::Header); |
| 490 const void* extra_header = header + 1; | 501 const void* extra_header = extra_header_size ? header + 1 : nullptr; |
| 491 size_t payload_size = header->num_bytes - header->num_header_bytes; | 502 size_t payload_size = header->num_bytes - header->num_header_bytes; |
| 492 void* payload = | 503 void* payload = |
| 493 payload_size ? reinterpret_cast<Message::Header*>( | 504 payload_size ? reinterpret_cast<Message::Header*>( |
| 494 const_cast<char*>(read_buffer_->occupied_bytes()) + | 505 const_cast<char*>(read_buffer_->occupied_bytes()) + |
| 495 header->num_header_bytes) | 506 header->num_header_bytes) |
| 496 : nullptr; | 507 : nullptr; |
| 497 #endif // defined(OS_CHROMEOS) || defined(OS_ANDROID) | 508 #endif // defined(OS_CHROMEOS) || defined(OS_ANDROID) |
| 498 | 509 |
| 499 ScopedPlatformHandleVectorPtr handles; | 510 ScopedPlatformHandleVectorPtr handles; |
| 500 if (header->num_handles > 0) { | 511 if (header->num_handles > 0) { |
| 501 handles = GetReadPlatformHandles(header->num_handles, extra_header, | 512 if (!GetReadPlatformHandles(header->num_handles, extra_header, |
| 502 extra_header_size); | 513 extra_header_size, &handles)) { |
| 514 return false; |
| 515 } |
| 516 |
| 503 if (!handles) { | 517 if (!handles) { |
| 504 // Not enough handles available for this message. | 518 // Not enough handles available for this message. |
| 505 break; | 519 break; |
| 506 } | 520 } |
| 507 } | 521 } |
| 508 | 522 |
| 509 // We've got a complete message! Dispatch it and try another. | 523 // We've got a complete message! Dispatch it and try another. |
| 510 if (header->message_type != Message::Header::MessageType::NORMAL) { | 524 if (header->message_type != Message::Header::MessageType::NORMAL) { |
| 511 OnControlMessage(header->message_type, payload, payload_size, | 525 if (!OnControlMessage(header->message_type, payload, payload_size, |
| 512 std::move(handles)); | 526 std::move(handles))) { |
| 527 return false; |
| 528 } |
| 513 did_dispatch_message = true; | 529 did_dispatch_message = true; |
| 514 } else if (delegate_) { | 530 } else if (delegate_) { |
| 515 delegate_->OnChannelMessage(payload, payload_size, std::move(handles)); | 531 delegate_->OnChannelMessage(payload, payload_size, std::move(handles)); |
| 516 did_dispatch_message = true; | 532 did_dispatch_message = true; |
| 517 } | 533 } |
| 518 | 534 |
| 519 read_buffer_->Discard(header->num_bytes); | 535 read_buffer_->Discard(header->num_bytes); |
| 520 } | 536 } |
| 521 | 537 |
| 522 *next_read_size_hint = did_dispatch_message ? 0 : kReadBufferSize; | 538 *next_read_size_hint = did_dispatch_message ? 0 : kReadBufferSize; |
| 523 return true; | 539 return true; |
| 524 } | 540 } |
| 525 | 541 |
| 526 void Channel::OnError() { | 542 void Channel::OnError() { |
| 527 if (delegate_) | 543 if (delegate_) |
| 528 delegate_->OnChannelError(); | 544 delegate_->OnChannelError(); |
| 529 } | 545 } |
| 530 | 546 |
| 547 bool Channel::OnControlMessage(Message::Header::MessageType message_type, |
| 548 const void* payload, |
| 549 size_t payload_size, |
| 550 ScopedPlatformHandleVectorPtr handles) { |
| 551 return false; |
| 552 } |
| 553 |
| 531 } // namespace edk | 554 } // namespace edk |
| 532 } // namespace mojo | 555 } // namespace mojo |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1993963002:
[mojo-edk] Better validation of untrusted message data (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@2704