Chromium Code Reviews Chromium Code Reviews
Issue 2095493003:
[mojo-edk] Fix unchecked header sizes channel messages (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: mojo/edk/system/channel.cc |
| diff --git a/mojo/edk/system/channel.cc b/mojo/edk/system/channel.cc |
| index ac97fbbf29c68463d9f9d3cde643b10241f13599..f3030179fdcd408cbfe88e6e940aae14b672afdd 100644 |
| --- a/mojo/edk/system/channel.cc |
| +++ b/mojo/edk/system/channel.cc |
| @@ -137,7 +137,8 @@ Channel::MessagePtr Channel::Message::Deserialize(const void* data, |
| return nullptr; |
| } |
| - if (header->num_bytes < header->num_header_bytes) { |
| + if (header->num_bytes < header->num_header_bytes || |
| + header->num_header_bytes < sizeof(Header)) { |
|
Ken Rockot(use gerrit already)
2016/06/23 00:26:37
I made this condition explicit here, but we alread
Ken Rockot(use gerrit already)
2016/06/23 00:30:35
Wait, nevermind. I did backwards things in my head
Oliver Chang
2016/06/23 00:31:17
yep :) I missed this during the first review too
|
| DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < " |
| << header->num_header_bytes; |
| return nullptr; |
| @@ -147,6 +148,11 @@ Channel::MessagePtr Channel::Message::Deserialize(const void* data, |
| #if defined(OS_WIN) |
| uint32_t max_handles = extra_header_size / sizeof(HandleEntry); |
| #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| + if (extra_header_size < sizeof(MachPortsExtraHeader)) { |
| + DLOG(ERROR) << "Decoding invalid message: " << extra_header_size << " < " |
| + << sizeof(MachPortsExtraHeader); |
| + return nullptr; |
| + } |
| uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) / |
|
Oliver Chang
2016/06/23 00:31:17
not sure if it's worth sanity checking max_handles
Ken Rockot(use gerrit already)
2016/06/23 00:42:51
oh right... done!
|
| sizeof(MachPortsEntry); |
| #endif |
