| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "ipc/ipc_message_attachment_set.h" | 5 #include "ipc/ipc_message_attachment_set.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| 11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/posix/eintr_wrapper.h" | 12 #include "base/posix/eintr_wrapper.h" |
| 13 #include "build/build_config.h" | 13 #include "build/build_config.h" |
| 14 #include "ipc/brokerable_attachment.h" |
| 14 #include "ipc/ipc_message_attachment.h" | 15 #include "ipc/ipc_message_attachment.h" |
| 15 | 16 |
| 17 #if defined(OS_POSIX) |
| 18 #include <sys/stat.h> |
| 19 #include <sys/types.h> |
| 20 #include <unistd.h> |
| 21 #include "ipc/ipc_platform_file_attachment_posix.h" |
| 22 #endif // OS_POSIX |
| 23 |
| 16 namespace IPC { | 24 namespace IPC { |
| 17 | 25 |
| 18 namespace { | 26 namespace { |
| 19 | 27 |
| 20 unsigned count_attachments_of_type( | 28 unsigned count_attachments_of_type( |
| 21 const std::vector<scoped_refptr<MessageAttachment>>& attachments, | 29 const std::vector<scoped_refptr<MessageAttachment>>& attachments, |
| 22 MessageAttachment::Type type) { | 30 MessageAttachment::Type type) { |
| 23 unsigned count = 0; | 31 unsigned count = 0; |
| 24 for (const scoped_refptr<MessageAttachment>& attachment : attachments) { | 32 for (const scoped_refptr<MessageAttachment>& attachment : attachments) { |
| 25 if (attachment->GetType() == type) | 33 if (attachment->GetType() == type) |
| 26 ++count; | 34 ++count; |
| 27 } | 35 } |
| 28 return count; | 36 return count; |
| 29 } | 37 } |
| 30 | 38 |
| 31 } // namespace | 39 } // namespace |
| 32 | 40 |
| 33 MessageAttachmentSet::MessageAttachmentSet() | 41 MessageAttachmentSet::MessageAttachmentSet() |
| 34 : consumed_descriptor_highwater_(0) { | 42 : consumed_descriptor_highwater_(0) { |
| 35 } | 43 } |
| 36 | 44 |
| 37 MessageAttachmentSet::~MessageAttachmentSet() { | 45 MessageAttachmentSet::~MessageAttachmentSet() { |
| 38 if (consumed_descriptor_highwater_ == size()) | 46 if (consumed_descriptor_highwater_ == num_non_brokerable_attachments()) |
| 39 return; | 47 return; |
| 40 | 48 |
| 41 // We close all the owning descriptors. If this message should have | 49 // We close all the owning descriptors. If this message should have |
| 42 // been transmitted, then closing those with close flags set mirrors | 50 // been transmitted, then closing those with close flags set mirrors |
| 43 // the expected behaviour. | 51 // the expected behaviour. |
| 44 // | 52 // |
| 45 // If this message was received with more descriptors than expected | 53 // If this message was received with more descriptors than expected |
| 46 // (which could a DOS against the browser by a rogue renderer) then all | 54 // (which could a DOS against the browser by a rogue renderer) then all |
| 47 // the descriptors have their close flag set and we free all the extra | 55 // the descriptors have their close flag set and we free all the extra |
| 48 // kernel resources. | 56 // kernel resources. |
| 49 LOG(WARNING) << "MessageAttachmentSet destroyed with unconsumed attachments: " | 57 LOG(WARNING) << "MessageAttachmentSet destroyed with unconsumed descriptors: " |
| 50 << consumed_descriptor_highwater_ << "/" << size(); | 58 << consumed_descriptor_highwater_ << "/" << num_descriptors(); |
| 51 } | 59 } |
| 52 | 60 |
| 53 unsigned MessageAttachmentSet::num_descriptors() const { | 61 unsigned MessageAttachmentSet::num_descriptors() const { |
| 54 return count_attachments_of_type(attachments_, | 62 return count_attachments_of_type(attachments_, |
| 55 MessageAttachment::Type::PLATFORM_FILE); | 63 MessageAttachment::TYPE_PLATFORM_FILE); |
| 64 } |
| 65 |
| 66 unsigned MessageAttachmentSet::num_mojo_handles() const { |
| 67 return count_attachments_of_type(attachments_, |
| 68 MessageAttachment::TYPE_MOJO_HANDLE); |
| 69 } |
| 70 |
| 71 unsigned MessageAttachmentSet::num_brokerable_attachments() const { |
| 72 return static_cast<unsigned>(brokerable_attachments_.size()); |
| 73 } |
| 74 |
| 75 unsigned MessageAttachmentSet::num_non_brokerable_attachments() const { |
| 76 return static_cast<unsigned>(attachments_.size()); |
| 56 } | 77 } |
| 57 | 78 |
| 58 unsigned MessageAttachmentSet::size() const { | 79 unsigned MessageAttachmentSet::size() const { |
| 59 return static_cast<unsigned>(attachments_.size()); | 80 return static_cast<unsigned>(attachments_.size() + |
| 81 brokerable_attachments_.size()); |
| 60 } | 82 } |
| 61 | 83 |
| 62 bool MessageAttachmentSet::AddAttachment( | 84 bool MessageAttachmentSet::AddAttachment( |
| 63 scoped_refptr<MessageAttachment> attachment, | 85 scoped_refptr<MessageAttachment> attachment, |
| 64 size_t* index) { | 86 size_t* index, |
| 87 bool* brokerable) { |
| 65 #if defined(OS_POSIX) | 88 #if defined(OS_POSIX) |
| 66 if (attachment->GetType() == MessageAttachment::Type::PLATFORM_FILE && | 89 if (attachment->GetType() == MessageAttachment::TYPE_PLATFORM_FILE && |
| 67 num_descriptors() == kMaxDescriptorsPerMessage) { | 90 num_descriptors() == kMaxDescriptorsPerMessage) { |
| 68 DLOG(WARNING) << "Cannot add file descriptor. MessageAttachmentSet full."; | 91 DLOG(WARNING) << "Cannot add file descriptor. MessageAttachmentSet full."; |
| 69 return false; | 92 return false; |
| 70 } | 93 } |
| 71 #endif | 94 #endif |
| 72 | 95 |
| 73 switch (attachment->GetType()) { | 96 switch (attachment->GetType()) { |
| 74 case MessageAttachment::Type::PLATFORM_FILE: | 97 case MessageAttachment::TYPE_PLATFORM_FILE: |
| 75 case MessageAttachment::Type::MOJO_HANDLE: | 98 case MessageAttachment::TYPE_MOJO_HANDLE: |
| 76 case MessageAttachment::Type::WIN_HANDLE: | |
| 77 case MessageAttachment::Type::MACH_PORT: | |
| 78 attachments_.push_back(attachment); | 99 attachments_.push_back(attachment); |
| 79 *index = attachments_.size() - 1; | 100 *index = attachments_.size() - 1; |
| 101 *brokerable = false; |
| 102 return true; |
| 103 case MessageAttachment::TYPE_BROKERABLE_ATTACHMENT: |
| 104 BrokerableAttachment* brokerable_attachment = |
| 105 static_cast<BrokerableAttachment*>(attachment.get()); |
| 106 scoped_refptr<BrokerableAttachment> a(brokerable_attachment); |
| 107 brokerable_attachments_.push_back(a); |
| 108 *index = brokerable_attachments_.size() - 1; |
| 109 *brokerable = true; |
| 80 return true; | 110 return true; |
| 81 } | 111 } |
| 82 return false; | 112 return false; |
| 83 } | 113 } |
| 84 | 114 |
| 85 bool MessageAttachmentSet::AddAttachment( | 115 bool MessageAttachmentSet::AddAttachment( |
| 86 scoped_refptr<MessageAttachment> attachment) { | 116 scoped_refptr<MessageAttachment> attachment) { |
| 117 bool brokerable; |
| 87 size_t index; | 118 size_t index; |
| 88 return AddAttachment(attachment, &index); | 119 return AddAttachment(attachment, &index, &brokerable); |
| 89 } | 120 } |
| 90 | 121 |
| 91 scoped_refptr<MessageAttachment> MessageAttachmentSet::GetAttachmentAt( | 122 scoped_refptr<MessageAttachment> |
| 92 unsigned index) { | 123 MessageAttachmentSet::GetNonBrokerableAttachmentAt(unsigned index) { |
| 93 if (index >= size()) { | 124 if (index >= num_non_brokerable_attachments()) { |
| 94 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" << size(); | 125 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" |
| 126 << num_non_brokerable_attachments(); |
| 95 return scoped_refptr<MessageAttachment>(); | 127 return scoped_refptr<MessageAttachment>(); |
| 96 } | 128 } |
| 97 | 129 |
| 98 // We should always walk the descriptors in order, so it's reasonable to | 130 // We should always walk the descriptors in order, so it's reasonable to |
| 99 // enforce this. Consider the case where a compromised renderer sends us | 131 // enforce this. Consider the case where a compromised renderer sends us |
| 100 // the following message: | 132 // the following message: |
| 101 // | 133 // |
| 102 // ExampleMsg: | 134 // ExampleMsg: |
| 103 // num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m} | 135 // num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m} |
| 104 // | 136 // |
| 105 // Here the renderer sent us a message which should have a descriptor, but | 137 // Here the renderer sent us a message which should have a descriptor, but |
| 106 // actually sent two in an attempt to fill our fd table and kill us. By | 138 // actually sent two in an attempt to fill our fd table and kill us. By |
| 107 // setting the index of the descriptor in the message to 1 (it should be | 139 // setting the index of the descriptor in the message to 1 (it should be |
| 108 // 0), we would record a highwater of 1 and then consider all the | 140 // 0), we would record a highwater of 1 and then consider all the |
| 109 // descriptors to have been used. | 141 // descriptors to have been used. |
| 110 // | 142 // |
| 111 // So we can either track of the use of each descriptor in a bitset, or we | 143 // So we can either track of the use of each descriptor in a bitset, or we |
| 112 // can enforce that we walk the indexes strictly in order. | 144 // can enforce that we walk the indexes strictly in order. |
| 113 // | 145 // |
| 114 // There's one more wrinkle: When logging messages, we may reparse them. So | 146 // There's one more wrinkle: When logging messages, we may reparse them. So |
| 115 // we have an exception: When the consumed_descriptor_highwater_ is at the | 147 // we have an exception: When the consumed_descriptor_highwater_ is at the |
| 116 // end of the array and index 0 is requested, we reset the highwater value. | 148 // end of the array and index 0 is requested, we reset the highwater value. |
| 117 // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer | 149 // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer |
| 118 // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294 | 150 // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294 |
| 119 if (index == 0 && consumed_descriptor_highwater_ == size()) { | 151 if (index == 0 && |
| 152 consumed_descriptor_highwater_ == num_non_brokerable_attachments()) { |
| 120 consumed_descriptor_highwater_ = 0; | 153 consumed_descriptor_highwater_ = 0; |
| 121 } | 154 } |
| 122 | 155 |
| 123 if (index != consumed_descriptor_highwater_) | 156 if (index != consumed_descriptor_highwater_) |
| 124 return scoped_refptr<MessageAttachment>(); | 157 return scoped_refptr<MessageAttachment>(); |
| 125 | 158 |
| 126 consumed_descriptor_highwater_ = index + 1; | 159 consumed_descriptor_highwater_ = index + 1; |
| 127 | 160 |
| 128 return attachments_[index]; | 161 return attachments_[index]; |
| 129 } | 162 } |
| 130 | 163 |
| 164 scoped_refptr<MessageAttachment> |
| 165 MessageAttachmentSet::GetBrokerableAttachmentAt(unsigned index) { |
| 166 if (index >= num_brokerable_attachments()) { |
| 167 DLOG(WARNING) << "Accessing out of bound index:" << index << "/" |
| 168 << num_brokerable_attachments(); |
| 169 return scoped_refptr<MessageAttachment>(); |
| 170 } |
| 171 |
| 172 scoped_refptr<BrokerableAttachment> brokerable_attachment( |
| 173 brokerable_attachments_[index]); |
| 174 return scoped_refptr<MessageAttachment>(brokerable_attachment.get()); |
| 175 } |
| 176 |
| 131 void MessageAttachmentSet::CommitAllDescriptors() { | 177 void MessageAttachmentSet::CommitAllDescriptors() { |
| 132 attachments_.clear(); | 178 attachments_.clear(); |
| 133 consumed_descriptor_highwater_ = 0; | 179 consumed_descriptor_highwater_ = 0; |
| 134 } | 180 } |
| 135 | 181 |
| 182 std::vector<scoped_refptr<IPC::BrokerableAttachment>> |
| 183 MessageAttachmentSet::GetBrokerableAttachments() const { |
| 184 return brokerable_attachments_; |
| 185 } |
| 186 |
| 187 #if defined(OS_POSIX) |
| 188 |
| 189 void MessageAttachmentSet::PeekDescriptors(base::PlatformFile* buffer) const { |
| 190 for (size_t i = 0; i != attachments_.size(); ++i) |
| 191 buffer[i] = internal::GetPlatformFile(attachments_[i]); |
| 192 } |
| 193 |
| 194 bool MessageAttachmentSet::ContainsDirectoryDescriptor() const { |
| 195 struct stat st; |
| 196 |
| 197 for (auto i = attachments_.begin(); i != attachments_.end(); ++i) { |
| 198 if (fstat(internal::GetPlatformFile(*i), &st) == 0 && S_ISDIR(st.st_mode)) |
| 199 return true; |
| 200 } |
| 201 |
| 202 return false; |
| 203 } |
| 204 |
| 205 void MessageAttachmentSet::ReleaseFDsToClose( |
| 206 std::vector<base::PlatformFile>* fds) { |
| 207 for (size_t i = 0; i < attachments_.size(); ++i) { |
| 208 internal::PlatformFileAttachment* file = |
| 209 static_cast<internal::PlatformFileAttachment*>(attachments_[i].get()); |
| 210 if (file->Owns()) |
| 211 fds->push_back(file->TakePlatformFile()); |
| 212 } |
| 213 |
| 214 CommitAllDescriptors(); |
| 215 } |
| 216 |
| 217 void MessageAttachmentSet::AddDescriptorsToOwn(const base::PlatformFile* buffer, |
| 218 unsigned count) { |
| 219 DCHECK(count <= kMaxDescriptorsPerMessage); |
| 220 DCHECK_EQ(num_descriptors(), 0u); |
| 221 DCHECK_EQ(consumed_descriptor_highwater_, 0u); |
| 222 |
| 223 attachments_.reserve(count); |
| 224 for (unsigned i = 0; i < count; ++i) |
| 225 AddAttachment( |
| 226 new internal::PlatformFileAttachment(base::ScopedFD(buffer[i]))); |
| 227 } |
| 228 |
| 229 #endif // OS_POSIX |
| 230 |
| 136 } // namespace IPC | 231 } // namespace IPC |
| 232 |
| 233 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2504063002:
Revert of Remove IPC::BrokerableAttachment. (Closed)
