Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(63)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/system/data_pipe_consumer_dispatcher.cc

Issue 2007943003: [mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2743
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | mojo/edk/system/data_pipe_producer_dispatcher.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/data_pipe_consumer_dispatcher.h" 5 #include "mojo/edk/system/data_pipe_consumer_dispatcher.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 #include <algorithm> 10 #include <algorithm>
(...skipping 513 matching lines...) Expand 10 before | Expand all | Expand 10 after
524 << " [control_port=" << control_port_.name() << "]"; 524 << " [control_port=" << control_port_.name() << "]";
525 peer_closed_ = true; 525 peer_closed_ = true;
526 } else if (rv == ports::OK && port_status.has_messages && !in_transit_) { 526 } else if (rv == ports::OK && port_status.has_messages && !in_transit_) {
527 ports::ScopedMessage message; 527 ports::ScopedMessage message;
528 do { 528 do {
529 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr, 529 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr,
530 &message); 530 &message);
531 if (rv != ports::OK) 531 if (rv != ports::OK)
532 peer_closed_ = true; 532 peer_closed_ = true;
533 if (message) { 533 if (message) {
534 if (message->num_payload_bytes() < sizeof(DataPipeControlMessage)) {
535 peer_closed_ = true;
536 break;
537 }
538
534 const DataPipeControlMessage* m = 539 const DataPipeControlMessage* m =
535 static_cast<const DataPipeControlMessage*>( 540 static_cast<const DataPipeControlMessage*>(
536 message->payload_bytes()); 541 message->payload_bytes());
537 542
538 if (m->command != DataPipeCommand::DATA_WAS_WRITTEN) { 543 if (m->command != DataPipeCommand::DATA_WAS_WRITTEN) {
539 DLOG(ERROR) << "Unexpected control message from producer."; 544 DLOG(ERROR) << "Unexpected control message from producer.";
540 peer_closed_ = true; 545 peer_closed_ = true;
541 break; 546 break;
542 } 547 }
543 548
(...skipping 14 matching lines...) Expand all
558 } 563 }
559 564
560 if (peer_closed_ != was_peer_closed || 565 if (peer_closed_ != was_peer_closed ||
561 bytes_available_ != previous_bytes_available) { 566 bytes_available_ != previous_bytes_available) {
562 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock()); 567 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock());
563 } 568 }
564 } 569 }
565 570
566 } // namespace edk 571 } // namespace edk
567 } // namespace mojo 572 } // namespace mojo
OLDNEW
« no previous file with comments | « no previous file | mojo/edk/system/data_pipe_producer_dispatcher.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698