Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(49)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/system/data_pipe_producer_dispatcher.cc

Issue 2034183002: [mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2704
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « mojo/edk/system/data_pipe_consumer_dispatcher.cc ('k') | mojo/edk/system/message_pipe_dispatcher.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/data_pipe_producer_dispatcher.h" 5 #include "mojo/edk/system/data_pipe_producer_dispatcher.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 #include <utility> 10 #include <utility>
(...skipping 495 matching lines...) Expand 10 before | Expand all | Expand 10 after
506 } 506 }
507 507
508 if (port_status.has_messages && !in_transit_) { 508 if (port_status.has_messages && !in_transit_) {
509 ports::ScopedMessage message; 509 ports::ScopedMessage message;
510 do { 510 do {
511 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr, 511 int rv = node_controller_->node()->GetMessageIf(control_port_, nullptr,
512 &message); 512 &message);
513 if (rv != ports::OK) 513 if (rv != ports::OK)
514 peer_closed_ = true; 514 peer_closed_ = true;
515 if (message) { 515 if (message) {
516 PortsMessage* ports_message = static_cast<PortsMessage*>(message.get()); 516 if (message->num_payload_bytes() < sizeof(DataPipeControlMessage)) {
517 peer_closed_ = true;
518 break;
519 }
520
517 const DataPipeControlMessage* m = 521 const DataPipeControlMessage* m =
518 static_cast<const DataPipeControlMessage*>( 522 static_cast<const DataPipeControlMessage*>(
519 ports_message->payload_bytes()); 523 message->payload_bytes());
520 524
521 if (m->command != DataPipeCommand::DATA_WAS_READ) { 525 if (m->command != DataPipeCommand::DATA_WAS_READ) {
522 DLOG(ERROR) << "Unexpected message from consumer."; 526 DLOG(ERROR) << "Unexpected message from consumer.";
523 peer_closed_ = true; 527 peer_closed_ = true;
524 break; 528 break;
525 } 529 }
526 530
527 if (static_cast<size_t>(available_capacity_) + m->num_bytes > 531 if (static_cast<size_t>(available_capacity_) + m->num_bytes >
528 options_.capacity_num_bytes) { 532 options_.capacity_num_bytes) {
529 DLOG(ERROR) << "Consumer claims to have read too many bytes."; 533 DLOG(ERROR) << "Consumer claims to have read too many bytes.";
(...skipping 10 matching lines...) Expand all
540 } 544 }
541 545
542 if (peer_closed_ != was_peer_closed || 546 if (peer_closed_ != was_peer_closed ||
543 available_capacity_ != previous_capacity) { 547 available_capacity_ != previous_capacity) {
544 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock()); 548 awakable_list_.AwakeForStateChange(GetHandleSignalsStateNoLock());
545 } 549 }
546 } 550 }
547 551
548 } // namespace edk 552 } // namespace edk
549 } // namespace mojo 553 } // namespace mojo
OLDNEW
« no previous file with comments | « mojo/edk/system/data_pipe_consumer_dispatcher.cc ('k') | mojo/edk/system/message_pipe_dispatcher.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698