Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(67)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/system/node_channel.cc

Issue 2034183002: [mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2704
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « mojo/edk/system/message_pipe_dispatcher.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/node_channel.h" 5 #include "mojo/edk/system/node_channel.h"
6 6
7 #include <cstring> 7 #include <cstring>
8 #include <limits> 8 #include <limits>
9 #include <sstream> 9 #include <sstream>
10 10
(...skipping 376 matching lines...) Expand 10 before | Expand all | Expand 10 after
387 ShutDown(); 387 ShutDown();
388 } 388 }
389 389
390 void NodeChannel::OnChannelMessage(const void* payload, 390 void NodeChannel::OnChannelMessage(const void* payload,
391 size_t payload_size, 391 size_t payload_size,
392 ScopedPlatformHandleVectorPtr handles) { 392 ScopedPlatformHandleVectorPtr handles) {
393 DCHECK(io_task_runner_->RunsTasksOnCurrentThread()); 393 DCHECK(io_task_runner_->RunsTasksOnCurrentThread());
394 394
395 RequestContext request_context(RequestContext::Source::SYSTEM); 395 RequestContext request_context(RequestContext::Source::SYSTEM);
396 396
397 // Ensure this NodeChannel stays alive through the extent of this method. The
398 // delegate may have the only other reference to this object and it may choose
399 // to drop it here in response to, e.g., a malformed message.
400 scoped_refptr<NodeChannel> keepalive = this;
401
397 #if defined(OS_WIN) 402 #if defined(OS_WIN)
398 // If we receive handles from a known process, rewrite them to our own 403 // If we receive handles from a known process, rewrite them to our own
399 // process. This can occur when a privileged node receives handles directly 404 // process. This can occur when a privileged node receives handles directly
400 // from a privileged descendant. 405 // from a privileged descendant.
401 { 406 {
402 base::AutoLock lock(remote_process_handle_lock_); 407 base::AutoLock lock(remote_process_handle_lock_);
403 if (handles && remote_process_handle_ != base::kNullProcessHandle) { 408 if (handles && remote_process_handle_ != base::kNullProcessHandle) {
404 if (!Channel::Message::RewriteHandles(remote_process_handle_, 409 if (!Channel::Message::RewriteHandles(remote_process_handle_,
405 base::GetCurrentProcessHandle(), 410 base::GetCurrentProcessHandle(),
406 handles->data(), handles->size())) { 411 handles->data(), handles->size())) {
(...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after
667 672
668 base::AutoLock lock(channel_lock_); 673 base::AutoLock lock(channel_lock_);
669 if (!channel_) { 674 if (!channel_) {
670 DLOG(ERROR) << "Dropping message on closed channel."; 675 DLOG(ERROR) << "Dropping message on closed channel.";
671 break; 676 break;
672 } else { 677 } else {
673 channel_->Write(std::move(message)); 678 channel_->Write(std::move(message));
674 } 679 }
675 } 680 }
676 681
682 // Ensure this NodeChannel stays alive while flushing relay messages.
683 scoped_refptr<NodeChannel> keepalive = this;
684
677 while (!pending_relays.empty()) { 685 while (!pending_relays.empty()) {
678 ports::NodeName destination = pending_relays.front().first; 686 ports::NodeName destination = pending_relays.front().first;
679 Channel::MessagePtr message = std::move(pending_relays.front().second); 687 Channel::MessagePtr message = std::move(pending_relays.front().second);
680 pending_relays.pop(); 688 pending_relays.pop();
681 delegate_->OnRelayPortsMessage(remote_node_name_, remote_process_handle, 689 delegate_->OnRelayPortsMessage(remote_node_name_, remote_process_handle,
682 destination, std::move(message)); 690 destination, std::move(message));
683 } 691 }
684 } 692 }
685 #endif 693 #endif
686 694
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
745 753
746 base::AutoLock lock(channel_lock_); 754 base::AutoLock lock(channel_lock_);
747 if (!channel_) 755 if (!channel_)
748 DLOG(ERROR) << "Dropping message on closed channel."; 756 DLOG(ERROR) << "Dropping message on closed channel.";
749 else 757 else
750 channel_->Write(std::move(message)); 758 channel_->Write(std::move(message));
751 } 759 }
752 760
753 } // namespace edk 761 } // namespace edk
754 } // namespace mojo 762 } // namespace mojo
OLDNEW
« no previous file with comments | « mojo/edk/system/message_pipe_dispatcher.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698