| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "mojo/edk/system/data_pipe_producer_dispatcher.h" | 5 #include "mojo/edk/system/data_pipe_producer_dispatcher.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 491 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 502 << " [control_port=" << control_port_.name() << "]"; | 502 << " [control_port=" << control_port_.name() << "]"; |
| 503 peer_closed_ = true; | 503 peer_closed_ = true; |
| 504 } else if (rv == ports::OK && port_status.has_messages && !in_transit_) { | 504 } else if (rv == ports::OK && port_status.has_messages && !in_transit_) { |
| 505 ports::ScopedMessage message; | 505 ports::ScopedMessage message; |
| 506 do { | 506 do { |
| 507 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr, | 507 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr, |
| 508 &message); | 508 &message); |
| 509 if (rv != ports::OK) | 509 if (rv != ports::OK) |
| 510 peer_closed_ = true; | 510 peer_closed_ = true; |
| 511 if (message) { | 511 if (message) { |
| 512 PortsMessage* ports_message = static_cast<PortsMessage*>(message.get()); | 512 if (message->num_payload_bytes() < sizeof(DataPipeControlMessage)) { |
| 513 peer_closed_ = true; |
| 514 break; |
| 515 } |
| 516 |
| 513 const DataPipeControlMessage* m = | 517 const DataPipeControlMessage* m = |
| 514 static_cast<const DataPipeControlMessage*>( | 518 static_cast<const DataPipeControlMessage*>( |
| 515 ports_message->payload_bytes()); | 519 message->payload_bytes()); |
| 516 | 520 |
| 517 if (m->command != DataPipeCommand::DATA_WAS_READ) { | 521 if (m->command != DataPipeCommand::DATA_WAS_READ) { |
| 518 DLOG(ERROR) << "Unexpected message from consumer."; | 522 DLOG(ERROR) << "Unexpected message from consumer."; |
| 519 peer_closed_ = true; | 523 peer_closed_ = true; |
| 520 break; | 524 break; |
| 521 } | 525 } |
| 522 | 526 |
| 523 if (static_cast<size_t>(available_capacity_) + m->num_bytes > | 527 if (static_cast<size_t>(available_capacity_) + m->num_bytes > |
| 524 options_.capacity_num_bytes) { | 528 options_.capacity_num_bytes) { |
| 525 DLOG(ERROR) << "Consumer claims to have read too many bytes."; | 529 DLOG(ERROR) << "Consumer claims to have read too many bytes."; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 536 } | 540 } |
| 537 | 541 |
| 538 if (peer_closed_ != was_peer_closed || | 542 if (peer_closed_ != was_peer_closed || |
| 539 available_capacity_ != previous_capacity) { | 543 available_capacity_ != previous_capacity) { |
| 540 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock()); | 544 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock()); |
| 541 } | 545 } |
| 542 } | 546 } |
| 543 | 547 |
| 544 } // namespace edk | 548 } // namespace edk |
| 545 } // namespace mojo | 549 } // namespace mojo |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2007943003:
[mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@2743