| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "ipc/ipc_message_attachment_set.h" | 5 #include "ipc/ipc_message_attachment_set.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| 11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/posix/eintr_wrapper.h" | 12 #include "base/posix/eintr_wrapper.h" |
| 13 #include "build/build_config.h" | 13 #include "build/build_config.h" |
| 14 #include "ipc/brokerable_attachment.h" | |
| 15 #include "ipc/ipc_message_attachment.h" | 14 #include "ipc/ipc_message_attachment.h" |
| 16 | 15 |
| 17 #if defined(OS_POSIX) | |
| 18 #include <sys/stat.h> | |
| 19 #include <sys/types.h> | |
| 20 #include <unistd.h> | |
| 21 #include "ipc/ipc_platform_file_attachment_posix.h" | |
| 22 #endif // OS_POSIX | |
| 23 | |
| 24 namespace IPC { | 16 namespace IPC { |
| 25 | 17 |
| 26 namespace { | 18 namespace { |
| 27 | 19 |
| 28 unsigned count_attachments_of_type( | 20 unsigned count_attachments_of_type( |
| 29 const std::vector<scoped_refptr<MessageAttachment>>& attachments, | 21 const std::vector<scoped_refptr<MessageAttachment>>& attachments, |
| 30 MessageAttachment::Type type) { | 22 MessageAttachment::Type type) { |
| 31 unsigned count = 0; | 23 unsigned count = 0; |
| 32 for (const scoped_refptr<MessageAttachment>& attachment : attachments) { | 24 for (const scoped_refptr<MessageAttachment>& attachment : attachments) { |
| 33 if (attachment->GetType() == type) | 25 if (attachment->GetType() == type) |
| 34 ++count; | 26 ++count; |
| 35 } | 27 } |
| 36 return count; | 28 return count; |
| 37 } | 29 } |
| 38 | 30 |
| 39 } // namespace | 31 } // namespace |
| 40 | 32 |
| 41 MessageAttachmentSet::MessageAttachmentSet() | 33 MessageAttachmentSet::MessageAttachmentSet() |
| 42 : consumed_descriptor_highwater_(0) { | 34 : consumed_descriptor_highwater_(0) { |
| 43 } | 35 } |
| 44 | 36 |
| 45 MessageAttachmentSet::~MessageAttachmentSet() { | 37 MessageAttachmentSet::~MessageAttachmentSet() { |
| 46 if (consumed_descriptor_highwater_ == num_non_brokerable_attachments()) | 38 if (consumed_descriptor_highwater_ == size()) |
| 47 return; | 39 return; |
| 48 | 40 |
| 49 // We close all the owning descriptors. If this message should have | 41 // We close all the owning descriptors. If this message should have |
| 50 // been transmitted, then closing those with close flags set mirrors | 42 // been transmitted, then closing those with close flags set mirrors |
| 51 // the expected behaviour. | 43 // the expected behaviour. |
| 52 // | 44 // |
| 53 // If this message was received with more descriptors than expected | 45 // If this message was received with more descriptors than expected |
| 54 // (which could a DOS against the browser by a rogue renderer) then all | 46 // (which could a DOS against the browser by a rogue renderer) then all |
| 55 // the descriptors have their close flag set and we free all the extra | 47 // the descriptors have their close flag set and we free all the extra |
| 56 // kernel resources. | 48 // kernel resources. |
| 57 LOG(WARNING) << "MessageAttachmentSet destroyed with unconsumed descriptors: " | 49 LOG(WARNING) << "MessageAttachmentSet destroyed with unconsumed attachments: " |
| 58 << consumed_descriptor_highwater_ << "/" << num_descriptors(); | 50 << consumed_descriptor_highwater_ << "/" << size(); |
| 59 } | 51 } |
| 60 | 52 |
| 61 unsigned MessageAttachmentSet::num_descriptors() const { | 53 unsigned MessageAttachmentSet::num_descriptors() const { |
| 62 return count_attachments_of_type(attachments_, | 54 return count_attachments_of_type(attachments_, |
| 63 MessageAttachment::TYPE_PLATFORM_FILE); | 55 MessageAttachment::Type::PLATFORM_FILE); |
| 64 } | |
| 65 | |
| 66 unsigned MessageAttachmentSet::num_mojo_handles() const { | |
| 67 return count_attachments_of_type(attachments_, | |
| 68 MessageAttachment::TYPE_MOJO_HANDLE); | |
| 69 } | |
| 70 | |
| 71 unsigned MessageAttachmentSet::num_brokerable_attachments() const { | |
| 72 return static_cast<unsigned>(brokerable_attachments_.size()); | |
| 73 } | |
| 74 | |
| 75 unsigned MessageAttachmentSet::num_non_brokerable_attachments() const { | |
| 76 return static_cast<unsigned>(attachments_.size()); | |
| 77 } | 56 } |
| 78 | 57 |
| 79 unsigned MessageAttachmentSet::size() const { | 58 unsigned MessageAttachmentSet::size() const { |
| 80 return static_cast<unsigned>(attachments_.size() + | 59 return static_cast<unsigned>(attachments_.size()); |
| 81 brokerable_attachments_.size()); | |
| 82 } | 60 } |
| 83 | 61 |
| 84 bool MessageAttachmentSet::AddAttachment( | 62 bool MessageAttachmentSet::AddAttachment( |
| 85 scoped_refptr<MessageAttachment> attachment, | 63 scoped_refptr<MessageAttachment> attachment, |
| 86 size_t* index, | 64 size_t* index) { |
| 87 bool* brokerable) { | |
| 88 #if defined(OS_POSIX) | 65 #if defined(OS_POSIX) |
| 89 if (attachment->GetType() == MessageAttachment::TYPE_PLATFORM_FILE && | 66 if (attachment->GetType() == MessageAttachment::Type::PLATFORM_FILE && |
| 90 num_descriptors() == kMaxDescriptorsPerMessage) { | 67 num_descriptors() == kMaxDescriptorsPerMessage) { |
| 91 DLOG(WARNING) << "Cannot add file descriptor. MessageAttachmentSet full."; | 68 DLOG(WARNING) << "Cannot add file descriptor. MessageAttachmentSet full."; |
| 92 return false; | 69 return false; |
| 93 } | 70 } |
| 94 #endif | 71 #endif |
| 95 | 72 |
| 96 switch (attachment->GetType()) { | 73 switch (attachment->GetType()) { |
| 97 case MessageAttachment::TYPE_PLATFORM_FILE: | 74 case MessageAttachment::Type::PLATFORM_FILE: |
| 98 case MessageAttachment::TYPE_MOJO_HANDLE: | 75 case MessageAttachment::Type::MOJO_HANDLE: |
| 76 case MessageAttachment::Type::WIN_HANDLE: |
| 77 case MessageAttachment::Type::MACH_PORT: |
| 99 attachments_.push_back(attachment); | 78 attachments_.push_back(attachment); |
| 100 *index = attachments_.size() - 1; | 79 *index = attachments_.size() - 1; |
| 101 *brokerable = false; | |
| 102 return true; | |
| 103 case MessageAttachment::TYPE_BROKERABLE_ATTACHMENT: | |
| 104 BrokerableAttachment* brokerable_attachment = | |
| 105 static_cast<BrokerableAttachment*>(attachment.get()); | |
| 106 scoped_refptr<BrokerableAttachment> a(brokerable_attachment); | |
| 107 brokerable_attachments_.push_back(a); | |
| 108 *index = brokerable_attachments_.size() - 1; | |
| 109 *brokerable = true; | |
| 110 return true; | 80 return true; |
| 111 } | 81 } |
| 112 return false; | 82 return false; |
| 113 } | 83 } |
| 114 | 84 |
| 115 bool MessageAttachmentSet::AddAttachment( | 85 bool MessageAttachmentSet::AddAttachment( |
| 116 scoped_refptr<MessageAttachment> attachment) { | 86 scoped_refptr<MessageAttachment> attachment) { |
| 117 bool brokerable; | |
| 118 size_t index; | 87 size_t index; |
| 119 return AddAttachment(attachment, &index, &brokerable); | 88 return AddAttachment(attachment, &index); |
| 120 } | 89 } |
| 121 | 90 |
| 122 scoped_refptr<MessageAttachment> | 91 scoped_refptr<MessageAttachment> MessageAttachmentSet::GetAttachmentAt( |
| 123 MessageAttachmentSet::GetNonBrokerableAttachmentAt(unsigned index) { | 92 unsigned index) { |
| 124 if (index >= num_non_brokerable_attachments()) { | 93 if (index >= size()) { |
| 125 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" | 94 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" << size(); |
| 126 << num_non_brokerable_attachments(); | |
| 127 return scoped_refptr<MessageAttachment>(); | 95 return scoped_refptr<MessageAttachment>(); |
| 128 } | 96 } |
| 129 | 97 |
| 130 // We should always walk the descriptors in order, so it's reasonable to | 98 // We should always walk the descriptors in order, so it's reasonable to |
| 131 // enforce this. Consider the case where a compromised renderer sends us | 99 // enforce this. Consider the case where a compromised renderer sends us |
| 132 // the following message: | 100 // the following message: |
| 133 // | 101 // |
| 134 // ExampleMsg: | 102 // ExampleMsg: |
| 135 // num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m} | 103 // num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m} |
| 136 // | 104 // |
| 137 // Here the renderer sent us a message which should have a descriptor, but | 105 // Here the renderer sent us a message which should have a descriptor, but |
| 138 // actually sent two in an attempt to fill our fd table and kill us. By | 106 // actually sent two in an attempt to fill our fd table and kill us. By |
| 139 // setting the index of the descriptor in the message to 1 (it should be | 107 // setting the index of the descriptor in the message to 1 (it should be |
| 140 // 0), we would record a highwater of 1 and then consider all the | 108 // 0), we would record a highwater of 1 and then consider all the |
| 141 // descriptors to have been used. | 109 // descriptors to have been used. |
| 142 // | 110 // |
| 143 // So we can either track of the use of each descriptor in a bitset, or we | 111 // So we can either track of the use of each descriptor in a bitset, or we |
| 144 // can enforce that we walk the indexes strictly in order. | 112 // can enforce that we walk the indexes strictly in order. |
| 145 // | 113 // |
| 146 // There's one more wrinkle: When logging messages, we may reparse them. So | 114 // There's one more wrinkle: When logging messages, we may reparse them. So |
| 147 // we have an exception: When the consumed_descriptor_highwater_ is at the | 115 // we have an exception: When the consumed_descriptor_highwater_ is at the |
| 148 // end of the array and index 0 is requested, we reset the highwater value. | 116 // end of the array and index 0 is requested, we reset the highwater value. |
| 149 // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer | 117 // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer |
| 150 // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294 | 118 // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294 |
| 151 if (index == 0 && | 119 if (index == 0 && consumed_descriptor_highwater_ == size()) { |
| 152 consumed_descriptor_highwater_ == num_non_brokerable_attachments()) { | |
| 153 consumed_descriptor_highwater_ = 0; | 120 consumed_descriptor_highwater_ = 0; |
| 154 } | 121 } |
| 155 | 122 |
| 156 if (index != consumed_descriptor_highwater_) | 123 if (index != consumed_descriptor_highwater_) |
| 157 return scoped_refptr<MessageAttachment>(); | 124 return scoped_refptr<MessageAttachment>(); |
| 158 | 125 |
| 159 consumed_descriptor_highwater_ = index + 1; | 126 consumed_descriptor_highwater_ = index + 1; |
| 160 | 127 |
| 161 return attachments_[index]; | 128 return attachments_[index]; |
| 162 } | 129 } |
| 163 | 130 |
| 164 scoped_refptr<MessageAttachment> | |
| 165 MessageAttachmentSet::GetBrokerableAttachmentAt(unsigned index) { | |
| 166 if (index >= num_brokerable_attachments()) { | |
| 167 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" | |
| 168 << num_brokerable_attachments(); | |
| 169 return scoped_refptr<MessageAttachment>(); | |
| 170 } | |
| 171 | |
| 172 scoped_refptr<BrokerableAttachment> brokerable_attachment( | |
| 173 brokerable_attachments_[index]); | |
| 174 return scoped_refptr<MessageAttachment>(brokerable_attachment.get()); | |
| 175 } | |
| 176 | |
| 177 void MessageAttachmentSet::CommitAllDescriptors() { | 131 void MessageAttachmentSet::CommitAllDescriptors() { |
| 178 attachments_.clear(); | 132 attachments_.clear(); |
| 179 consumed_descriptor_highwater_ = 0; | 133 consumed_descriptor_highwater_ = 0; |
| 180 } | 134 } |
| 181 | 135 |
| 182 std::vector<scoped_refptr<IPC::BrokerableAttachment>> | |
| 183 MessageAttachmentSet::GetBrokerableAttachments() const { | |
| 184 return brokerable_attachments_; | |
| 185 } | |
| 186 | |
| 187 #if defined(OS_POSIX) | |
| 188 | |
| 189 void MessageAttachmentSet::PeekDescriptors(base::PlatformFile* buffer) const { | |
| 190 for (size_t i = 0; i != attachments_.size(); ++i) | |
| 191 buffer[i] = internal::GetPlatformFile(attachments_[i]); | |
| 192 } | |
| 193 | |
| 194 bool MessageAttachmentSet::ContainsDirectoryDescriptor() const { | |
| 195 struct stat st; | |
| 196 | |
| 197 for (auto i = attachments_.begin(); i != attachments_.end(); ++i) { | |
| 198 if (fstat(internal::GetPlatformFile(*i), &st) == 0 && S_ISDIR(st.st_mode)) | |
| 199 return true; | |
| 200 } | |
| 201 | |
| 202 return false; | |
| 203 } | |
| 204 | |
| 205 void MessageAttachmentSet::ReleaseFDsToClose( | |
| 206 std::vector<base::PlatformFile>* fds) { | |
| 207 for (size_t i = 0; i < attachments_.size(); ++i) { | |
| 208 internal::PlatformFileAttachment* file = | |
| 209 static_cast<internal::PlatformFileAttachment*>(attachments_[i].get()); | |
| 210 if (file->Owns()) | |
| 211 fds->push_back(file->TakePlatformFile()); | |
| 212 } | |
| 213 | |
| 214 CommitAllDescriptors(); | |
| 215 } | |
| 216 | |
| 217 void MessageAttachmentSet::AddDescriptorsToOwn(const base::PlatformFile* buffer, | |
| 218 unsigned count) { | |
| 219 DCHECK(count <= kMaxDescriptorsPerMessage); | |
| 220 DCHECK_EQ(num_descriptors(), 0u); | |
| 221 DCHECK_EQ(consumed_descriptor_highwater_, 0u); | |
| 222 | |
| 223 attachments_.reserve(count); | |
| 224 for (unsigned i = 0; i < count; ++i) | |
| 225 AddAttachment( | |
| 226 new internal::PlatformFileAttachment(base::ScopedFD(buffer[i]))); | |
| 227 } | |
| 228 | |
| 229 #endif // OS_POSIX | |
| 230 | |
| 231 } // namespace IPC | 136 } // namespace IPC |
| 232 | |
| 233 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2494943002:
Remove IPC::BrokerableAttachment. (Closed)
