Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(90)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/system/node_channel.cc

Issue 2007943003: [mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2743
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « mojo/edk/system/message_pipe_dispatcher.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/node_channel.h" 5 #include "mojo/edk/system/node_channel.h"
6 6
7 #include <cstring> 7 #include <cstring>
8 #include <limits> 8 #include <limits>
9 #include <sstream> 9 #include <sstream>
10 10
(...skipping 377 matching lines...) Expand 10 before | Expand all | Expand 10 after
388 ShutDown(); 388 ShutDown();
389 } 389 }
390 390
391 void NodeChannel::OnChannelMessage(const void* payload, 391 void NodeChannel::OnChannelMessage(const void* payload,
392 size_t payload_size, 392 size_t payload_size,
393 ScopedPlatformHandleVectorPtr handles) { 393 ScopedPlatformHandleVectorPtr handles) {
394 DCHECK(io_task_runner_->RunsTasksOnCurrentThread()); 394 DCHECK(io_task_runner_->RunsTasksOnCurrentThread());
395 395
396 RequestContext request_context(RequestContext::Source::SYSTEM); 396 RequestContext request_context(RequestContext::Source::SYSTEM);
397 397
398 // Ensure this NodeChannel stays alive through the extent of this method. The
399 // delegate may have the only other reference to this object and it may choose
400 // to drop it here in response to, e.g., a malformed message.
401 scoped_refptr<NodeChannel> keepalive = this;
402
398 #if defined(OS_WIN) 403 #if defined(OS_WIN)
399 // If we receive handles from a known process, rewrite them to our own 404 // If we receive handles from a known process, rewrite them to our own
400 // process. This can occur when a privileged node receives handles directly 405 // process. This can occur when a privileged node receives handles directly
401 // from a privileged descendant. 406 // from a privileged descendant.
402 { 407 {
403 base::AutoLock lock(remote_process_handle_lock_); 408 base::AutoLock lock(remote_process_handle_lock_);
404 if (handles && remote_process_handle_ != base::kNullProcessHandle) { 409 if (handles && remote_process_handle_ != base::kNullProcessHandle) {
405 // Note that we explicitly mark the handles as being owned by the sending 410 // Note that we explicitly mark the handles as being owned by the sending
406 // process before rewriting them, in order to accommodate RewriteHandles' 411 // process before rewriting them, in order to accommodate RewriteHandles'
407 // internal sanity checks. 412 // internal sanity checks.
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after
677 682
678 base::AutoLock lock(channel_lock_); 683 base::AutoLock lock(channel_lock_);
679 if (!channel_) { 684 if (!channel_) {
680 DLOG(ERROR) << "Dropping message on closed channel."; 685 DLOG(ERROR) << "Dropping message on closed channel.";
681 break; 686 break;
682 } else { 687 } else {
683 channel_->Write(std::move(message)); 688 channel_->Write(std::move(message));
684 } 689 }
685 } 690 }
686 691
692 // Ensure this NodeChannel stays alive while flushing relay messages.
693 scoped_refptr<NodeChannel> keepalive = this;
694
687 while (!pending_relays.empty()) { 695 while (!pending_relays.empty()) {
688 ports::NodeName destination = pending_relays.front().first; 696 ports::NodeName destination = pending_relays.front().first;
689 Channel::MessagePtr message = std::move(pending_relays.front().second); 697 Channel::MessagePtr message = std::move(pending_relays.front().second);
690 pending_relays.pop(); 698 pending_relays.pop();
691 delegate_->OnRelayPortsMessage(remote_node_name_, remote_process_handle, 699 delegate_->OnRelayPortsMessage(remote_node_name_, remote_process_handle,
692 destination, std::move(message)); 700 destination, std::move(message));
693 } 701 }
694 } 702 }
695 #endif 703 #endif
696 704
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
755 763
756 base::AutoLock lock(channel_lock_); 764 base::AutoLock lock(channel_lock_);
757 if (!channel_) 765 if (!channel_)
758 DLOG(ERROR) << "Dropping message on closed channel."; 766 DLOG(ERROR) << "Dropping message on closed channel.";
759 else 767 else
760 channel_->Write(std::move(message)); 768 channel_->Write(std::move(message));
761 } 769 }
762 770
763 } // namespace edk 771 } // namespace edk
764 } // namespace mojo 772 } // namespace mojo
OLDNEW
« no previous file with comments | « mojo/edk/system/message_pipe_dispatcher.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698