Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(392)

Side by Side Diff: mojo/edk/system/channel.cc

Issue 2102193002: [mojo-edk] Fix unchecked header sizes channel messages (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2743
Patch Set: Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/system/channel.h" 5 #include "mojo/edk/system/channel.h"
6 6
7 #include <string.h> 7 #include <string.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <limits> 10 #include <limits>
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after
133 if (data_num_bytes < sizeof(Header)) 133 if (data_num_bytes < sizeof(Header))
134 return nullptr; 134 return nullptr;
135 135
136 const Header* header = reinterpret_cast<const Header*>(data); 136 const Header* header = reinterpret_cast<const Header*>(data);
137 if (header->num_bytes != data_num_bytes) { 137 if (header->num_bytes != data_num_bytes) {
138 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes 138 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes
139 << " != " << data_num_bytes; 139 << " != " << data_num_bytes;
140 return nullptr; 140 return nullptr;
141 } 141 }
142 142
143 if (header->num_bytes < header->num_header_bytes) { 143 if (header->num_bytes < header->num_header_bytes ||
144 header->num_header_bytes < sizeof(Header)) {
144 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < " 145 DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < "
145 << header->num_header_bytes; 146 << header->num_header_bytes;
146 return nullptr; 147 return nullptr;
147 } 148 }
148 149
149 uint32_t extra_header_size = header->num_header_bytes - sizeof(Header); 150 uint32_t extra_header_size = header->num_header_bytes - sizeof(Header);
150 #if defined(OS_WIN) 151 #if defined(OS_WIN)
151 uint32_t max_handles = extra_header_size / sizeof(PlatformHandle); 152 uint32_t max_handles = extra_header_size / sizeof(PlatformHandle);
152 #elif defined(OS_MACOSX) && !defined(OS_IOS) 153 #elif defined(OS_MACOSX) && !defined(OS_IOS)
154 if (extra_header_size < sizeof(MachPortsExtraHeader)) {
155 DLOG(ERROR) << "Decoding invalid message: " << extra_header_size << " < "
156 << sizeof(MachPortsExtraHeader);
157 return nullptr;
158 }
153 uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) / 159 uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) /
154 sizeof(MachPortsEntry); 160 sizeof(MachPortsEntry);
155 #endif 161 #endif
156 if (header->num_handles > max_handles) { 162 if (header->num_handles > max_handles || max_handles > kMaxAttachedHandles) {
157 DLOG(ERROR) << "Decoding invalid message:" << header->num_handles 163 DLOG(ERROR) << "Decoding invalid message:" << header->num_handles
158 << " > " << max_handles; 164 << " > " << max_handles;
159 return nullptr; 165 return nullptr;
160 } 166 }
161 167
162 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes, 168 MessagePtr message(new Message(data_num_bytes - header->num_header_bytes,
163 max_handles)); 169 max_handles));
164 DCHECK_EQ(message->data_num_bytes(), data_num_bytes); 170 DCHECK_EQ(message->data_num_bytes(), data_num_bytes);
165 DCHECK_EQ(message->extra_header_size(), extra_header_size); 171 DCHECK_EQ(message->extra_header_size(), extra_header_size);
166 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes); 172 DCHECK_EQ(message->header_->num_header_bytes, header->num_header_bytes);
(...skipping 425 matching lines...) Expand 10 before | Expand all | Expand 10 after
592 598
593 bool Channel::OnControlMessage(Message::Header::MessageType message_type, 599 bool Channel::OnControlMessage(Message::Header::MessageType message_type,
594 const void* payload, 600 const void* payload,
595 size_t payload_size, 601 size_t payload_size,
596 ScopedPlatformHandleVectorPtr handles) { 602 ScopedPlatformHandleVectorPtr handles) {
597 return false; 603 return false;
598 } 604 }
599 605
600 } // namespace edk 606 } // namespace edk
601 } // namespace mojo 607 } // namespace mojo
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698