| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "mojo/edk/system/channel.h" | 5 #include "mojo/edk/system/channel.h" |
| 6 | 6 |
| 7 #include <string.h> | 7 #include <string.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <limits> | 10 #include <limits> |
| (...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 133 if (data_num_bytes < sizeof(Header)) | 133 if (data_num_bytes < sizeof(Header)) |
| 134 return nullptr; | 134 return nullptr; |
| 135 | 135 |
| 136 const Header* header = reinterpret_cast<const Header*>(data); | 136 const Header* header = reinterpret_cast<const Header*>(data); |
| 137 if (header->num_bytes != data_num_bytes) { | 137 if (header->num_bytes != data_num_bytes) { |
| 138 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes | 138 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes |
| 139 << " != " << data_num_bytes; | 139 << " != " << data_num_bytes; |
| 140 return nullptr; | 140 return nullptr; |
| 141 } | 141 } |
| 142 | 142 |
| 143 if (header->num_bytes < header->num_header_bytes) { | 143 if (header->num_bytes < header->num_header_bytes || |
| 144 header->num_header_bytes < sizeof(Header)) { |
| 144 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < " | 145 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < " |
| 145 << header->num_header_bytes; | 146 << header->num_header_bytes; |
| 146 return nullptr; | 147 return nullptr; |
| 147 } | 148 } |
| 148 | 149 |
| 149 uint32_t extra_header_size = header->num_header_bytes - sizeof(Header); | 150 uint32_t extra_header_size = header->num_header_bytes - sizeof(Header); |
| 150 #if defined(OS_WIN) | 151 #if defined(OS_WIN) |
| 151 uint32_t max_handles = extra_header_size / sizeof(PlatformHandle); | 152 uint32_t max_handles = extra_header_size / sizeof(PlatformHandle); |
| 152 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 153 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 154 if (extra_header_size < sizeof(MachPortsExtraHeader)) { |
| 155 DLOG(ERROR) << "Decoding invalid message: " << extra_header_size << " < " |
| 156 << sizeof(MachPortsExtraHeader); |
| 157 return nullptr; |
| 158 } |
| 153 uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) / | 159 uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) / |
| 154 sizeof(MachPortsEntry); | 160 sizeof(MachPortsEntry); |
| 155 #endif | 161 #endif |
| 156 if (header->num_handles > max_handles) { | 162 if (header->num_handles > max_handles || max_handles > kMaxAttachedHandles) { |
| 157 DLOG(ERROR) << "Decoding invalid message:" << header->num_handles | 163 DLOG(ERROR) << "Decoding invalid message:" << header->num_handles |
| 158 << " > " << max_handles; | 164 << " > " << max_handles; |
| 159 return nullptr; | 165 return nullptr; |
| 160 } | 166 } |
| 161 | 167 |
| 162 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes, | 168 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes, |
| 163 max_handles)); | 169 max_handles)); |
| 164 DCHECK_EQ(message->data_num_bytes(), data_num_bytes); | 170 DCHECK_EQ(message->data_num_bytes(), data_num_bytes); |
| 165 DCHECK_EQ(message->extra_header_size(), extra_header_size); | 171 DCHECK_EQ(message->extra_header_size(), extra_header_size); |
| 166 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes); | 172 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes); |
| (...skipping 425 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 592 | 598 |
| 593 bool Channel::OnControlMessage(Message::Header::MessageType message_type, | 599 bool Channel::OnControlMessage(Message::Header::MessageType message_type, |
| 594 const void* payload, | 600 const void* payload, |
| 595 size_t payload_size, | 601 size_t payload_size, |
| 596 ScopedPlatformHandleVectorPtr handles) { | 602 ScopedPlatformHandleVectorPtr handles) { |
| 597 return false; | 603 return false; |
| 598 } | 604 } |
| 599 | 605 |
| 600 } // namespace edk | 606 } // namespace edk |
| 601 } // namespace mojo | 607 } // namespace mojo |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2102193002:
[mojo-edk] Fix unchecked header sizes channel messages (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@2743