| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdio.h> | 5 #include <stdio.h> |
| 6 #include <string> | 6 #include <string> |
| 7 #include <sstream> | 7 #include <sstream> |
| 8 | 8 |
| 9 #include "base/message_loop/message_loop.h" | 9 #include "base/message_loop/message_loop.h" |
| 10 #include "base/threading/platform_thread.h" | 10 #include "base/threading/platform_thread.h" |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 IPC_MESSAGE_CONTROL0(MsgUnhandled) | 31 IPC_MESSAGE_CONTROL0(MsgUnhandled) |
| 32 | 32 |
| 33 // ----------------------------------------------------------------------------- | 33 // ----------------------------------------------------------------------------- |
| 34 | 34 |
| 35 namespace { | 35 namespace { |
| 36 | 36 |
| 37 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) { | 37 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) { |
| 38 //This was BUG 984408. | 38 //This was BUG 984408. |
| 39 uint32 v1 = kuint32max - 1; | 39 uint32 v1 = kuint32max - 1; |
| 40 int v2 = 666; | 40 int v2 = 666; |
| 41 IPC::Message m(0, 1); | 41 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 42 EXPECT_TRUE(m.WriteInt(v1)); | 42 EXPECT_TRUE(m.WriteInt(v1)); |
| 43 EXPECT_TRUE(m.WriteInt(v2)); | 43 EXPECT_TRUE(m.WriteInt(v2)); |
| 44 | 44 |
| 45 PickleIterator iter(m); | 45 PickleIterator iter(m); |
| 46 std::string vs; | 46 std::string vs; |
| 47 EXPECT_FALSE(m.ReadString(&iter, &vs)); | 47 EXPECT_FALSE(m.ReadString(&iter, &vs)); |
| 48 } | 48 } |
| 49 | 49 |
| 50 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) { | 50 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) { |
| 51 //This was BUG 984408. | 51 //This was BUG 984408. |
| 52 uint32 v1 = kuint32max - 1; | 52 uint32 v1 = kuint32max - 1; |
| 53 int v2 = 777; | 53 int v2 = 777; |
| 54 IPC::Message m(0, 1); | 54 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 55 EXPECT_TRUE(m.WriteInt(v1)); | 55 EXPECT_TRUE(m.WriteInt(v1)); |
| 56 EXPECT_TRUE(m.WriteInt(v2)); | 56 EXPECT_TRUE(m.WriteInt(v2)); |
| 57 | 57 |
| 58 PickleIterator iter(m); | 58 PickleIterator iter(m); |
| 59 std::wstring vs; | 59 std::wstring vs; |
| 60 EXPECT_FALSE(m.ReadWString(&iter, &vs)); | 60 EXPECT_FALSE(m.ReadWString(&iter, &vs)); |
| 61 } | 61 } |
| 62 | 62 |
| 63 TEST(IPCMessageIntegrity, ReadBytesBadIterator) { | 63 TEST(IPCMessageIntegrity, ReadBytesBadIterator) { |
| 64 // This was BUG 1035467. | 64 // This was BUG 1035467. |
| 65 IPC::Message m(0, 1); | 65 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 66 EXPECT_TRUE(m.WriteInt(1)); | 66 EXPECT_TRUE(m.WriteInt(1)); |
| 67 EXPECT_TRUE(m.WriteInt(2)); | 67 EXPECT_TRUE(m.WriteInt(2)); |
| 68 | 68 |
| 69 PickleIterator iter(m); | 69 PickleIterator iter(m); |
| 70 const char* data = NULL; | 70 const char* data = NULL; |
| 71 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int))); | 71 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int))); |
| 72 } | 72 } |
| 73 | 73 |
| 74 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) { | 74 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) { |
| 75 // A slight variation of BUG 984408. Note that the pickling of vector<char> | 75 // A slight variation of BUG 984408. Note that the pickling of vector<char> |
| 76 // has a specialized template which is not vulnerable to this bug. So here | 76 // has a specialized template which is not vulnerable to this bug. So here |
| 77 // try to hit the non-specialized case vector<P>. | 77 // try to hit the non-specialized case vector<P>. |
| 78 IPC::Message m(0, 1); | 78 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 79 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements. | 79 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements. |
| 80 EXPECT_TRUE(m.WriteInt(1)); | 80 EXPECT_TRUE(m.WriteInt(1)); |
| 81 EXPECT_TRUE(m.WriteInt(2)); | 81 EXPECT_TRUE(m.WriteInt(2)); |
| 82 EXPECT_TRUE(m.WriteInt(3)); | 82 EXPECT_TRUE(m.WriteInt(3)); |
| 83 | 83 |
| 84 std::vector<double> vec; | 84 std::vector<double> vec; |
| 85 PickleIterator iter(m); | 85 PickleIterator iter(m); |
| 86 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); | 86 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); |
| 87 } | 87 } |
| 88 | 88 |
| 89 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) { | 89 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) { |
| 90 // This was BUG 1006367. This is the large but positive length case. Again | 90 // This was BUG 1006367. This is the large but positive length case. Again |
| 91 // we try to hit the non-specialized case vector<P>. | 91 // we try to hit the non-specialized case vector<P>. |
| 92 IPC::Message m(0, 1); | 92 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 93 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements. | 93 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements. |
| 94 EXPECT_TRUE(m.WriteInt64(1)); | 94 EXPECT_TRUE(m.WriteInt64(1)); |
| 95 EXPECT_TRUE(m.WriteInt64(2)); | 95 EXPECT_TRUE(m.WriteInt64(2)); |
| 96 | 96 |
| 97 std::vector<int64> vec; | 97 std::vector<int64> vec; |
| 98 PickleIterator iter(m); | 98 PickleIterator iter(m); |
| 99 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); | 99 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); |
| 100 } | 100 } |
| 101 | 101 |
| 102 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) { | 102 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) { |
| 103 // This was BUG 1006367. This is the large but positive with an additional | 103 // This was BUG 1006367. This is the large but positive with an additional |
| 104 // integer overflow when computing the actual byte size. Again we try to hit | 104 // integer overflow when computing the actual byte size. Again we try to hit |
| 105 // the non-specialized case vector<P>. | 105 // the non-specialized case vector<P>. |
| 106 IPC::Message m(0, 1); | 106 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL); |
| 107 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements. | 107 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements. |
| 108 EXPECT_TRUE(m.WriteInt64(1)); | 108 EXPECT_TRUE(m.WriteInt64(1)); |
| 109 EXPECT_TRUE(m.WriteInt64(2)); | 109 EXPECT_TRUE(m.WriteInt64(2)); |
| 110 | 110 |
| 111 std::vector<int64> vec; | 111 std::vector<int64> vec; |
| 112 PickleIterator iter(m); | 112 PickleIterator iter(m); |
| 113 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); | 113 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); |
| 114 } | 114 } |
| 115 | 115 |
| 116 class SimpleListener : public IPC::Listener { | 116 class SimpleListener : public IPC::Listener { |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 157 Cleanup(); | 157 Cleanup(); |
| 158 } | 158 } |
| 159 | 159 |
| 160 void OnMsgClassSIMessage(const std::wstring& text, int value) { | 160 void OnMsgClassSIMessage(const std::wstring& text, int value) { |
| 161 UseData(MsgClassSI::ID, value, text); | 161 UseData(MsgClassSI::ID, value, text); |
| 162 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value); | 162 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value); |
| 163 Cleanup(); | 163 Cleanup(); |
| 164 } | 164 } |
| 165 | 165 |
| 166 bool RoundtripAckReply(int routing, uint32 type_id, int reply) { | 166 bool RoundtripAckReply(int routing, uint32 type_id, int reply) { |
| 167 IPC::Message* message = new IPC::Message(routing, type_id); | 167 IPC::Message* message = new IPC::Message(routing, type_id, |
| 168 IPC::Message::PRIORITY_NORMAL); |
| 168 message->WriteInt(reply + 1); | 169 message->WriteInt(reply + 1); |
| 169 message->WriteInt(reply); | 170 message->WriteInt(reply); |
| 170 return other_->Send(message); | 171 return other_->Send(message); |
| 171 } | 172 } |
| 172 | 173 |
| 173 void Cleanup() { | 174 void Cleanup() { |
| 174 --message_count_; | 175 --message_count_; |
| 175 --pending_messages_; | 176 --pending_messages_; |
| 176 if (0 == message_count_) | 177 if (0 == message_count_) |
| 177 base::MessageLoop::current()->Quit(); | 178 base::MessageLoop::current()->Quit(); |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 290 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) | 291 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) |
| 291 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) { | 292 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) { |
| 292 Init("FuzzServerClient"); | 293 Init("FuzzServerClient"); |
| 293 | 294 |
| 294 FuzzerClientListener listener; | 295 FuzzerClientListener listener; |
| 295 CreateChannel(&listener); | 296 CreateChannel(&listener); |
| 296 listener.Init(channel()); | 297 listener.Init(channel()); |
| 297 ASSERT_TRUE(ConnectChannel()); | 298 ASSERT_TRUE(ConnectChannel()); |
| 298 ASSERT_TRUE(StartClient()); | 299 ASSERT_TRUE(StartClient()); |
| 299 | 300 |
| 300 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID); | 301 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID, |
| 302 IPC::Message::PRIORITY_NORMAL); |
| 301 msg->WriteInt(666); | 303 msg->WriteInt(666); |
| 302 sender()->Send(msg); | 304 sender()->Send(msg); |
| 303 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID)); | 305 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID)); |
| 304 | 306 |
| 305 msg = new MsgClassSI(L"expect one", 1); | 307 msg = new MsgClassSI(L"expect one", 1); |
| 306 sender()->Send(msg); | 308 sender()->Send(msg); |
| 307 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID)); | 309 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID)); |
| 308 | 310 |
| 309 EXPECT_TRUE(WaitForClientShutdown()); | 311 EXPECT_TRUE(WaitForClientShutdown()); |
| 310 DestroyChannel(); | 312 DestroyChannel(); |
| 311 } | 313 } |
| 312 #endif | 314 #endif |
| 313 | 315 |
| 314 // This test uses a payload that has too many arguments, but so the payload size | 316 // This test uses a payload that has too many arguments, but so the payload size |
| 315 // is big enough so the unpacking routine does not generate an error as in the | 317 // is big enough so the unpacking routine does not generate an error as in the |
| 316 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se) | 318 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se) |
| 317 // as by design we don't carry type information on the IPC message. | 319 // as by design we don't carry type information on the IPC message. |
| 318 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) { | 320 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) { |
| 319 Init("FuzzServerClient"); | 321 Init("FuzzServerClient"); |
| 320 | 322 |
| 321 FuzzerClientListener listener; | 323 FuzzerClientListener listener; |
| 322 CreateChannel(&listener); | 324 CreateChannel(&listener); |
| 323 listener.Init(channel()); | 325 listener.Init(channel()); |
| 324 ASSERT_TRUE(ConnectChannel()); | 326 ASSERT_TRUE(ConnectChannel()); |
| 325 ASSERT_TRUE(StartClient()); | 327 ASSERT_TRUE(StartClient()); |
| 326 | 328 |
| 327 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID); | 329 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID, |
| 330 IPC::Message::PRIORITY_NORMAL); |
| 328 msg->WriteWString(L"d"); | 331 msg->WriteWString(L"d"); |
| 329 msg->WriteInt(0); | 332 msg->WriteInt(0); |
| 330 msg->WriteInt(0x65); // Extra argument. | 333 msg->WriteInt(0x65); // Extra argument. |
| 331 | 334 |
| 332 sender()->Send(msg); | 335 sender()->Send(msg); |
| 333 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID)); | 336 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID)); |
| 334 | 337 |
| 335 // Now send a well formed message to make sure the receiver wasn't | 338 // Now send a well formed message to make sure the receiver wasn't |
| 336 // thrown out of sync by the extra argument. | 339 // thrown out of sync by the extra argument. |
| 337 msg = new MsgClassIS(3, L"expect three"); | 340 msg = new MsgClassIS(3, L"expect three"); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 383 // Test the regular messages. | 386 // Test the regular messages. |
| 384 msg = new MsgClassIS(3, L"text3"); | 387 msg = new MsgClassIS(3, L"text3"); |
| 385 EXPECT_TRUE(server.OnMessageReceived(*msg)); | 388 EXPECT_TRUE(server.OnMessageReceived(*msg)); |
| 386 delete msg; | 389 delete msg; |
| 387 msg = new MsgClassSI(L"text2", 2); | 390 msg = new MsgClassSI(L"text2", 2); |
| 388 EXPECT_TRUE(server.OnMessageReceived(*msg)); | 391 EXPECT_TRUE(server.OnMessageReceived(*msg)); |
| 389 delete msg; | 392 delete msg; |
| 390 | 393 |
| 391 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) | 394 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) |
| 392 // Test a bad message. | 395 // Test a bad message. |
| 393 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID); | 396 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID, |
| 397 IPC::Message::PRIORITY_NORMAL); |
| 394 msg->WriteInt(2); | 398 msg->WriteInt(2); |
| 395 EXPECT_FALSE(server.OnMessageReceived(*msg)); | 399 EXPECT_FALSE(server.OnMessageReceived(*msg)); |
| 396 delete msg; | 400 delete msg; |
| 397 | 401 |
| 398 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID); | 402 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID, |
| 403 IPC::Message::PRIORITY_NORMAL); |
| 399 msg->WriteInt(0x64); | 404 msg->WriteInt(0x64); |
| 400 msg->WriteInt(0x32); | 405 msg->WriteInt(0x32); |
| 401 EXPECT_FALSE(server.OnMessageReceived(*msg)); | 406 EXPECT_FALSE(server.OnMessageReceived(*msg)); |
| 402 delete msg; | 407 delete msg; |
| 403 | 408 |
| 404 EXPECT_EQ(0, server.unhandled_msgs()); | 409 EXPECT_EQ(0, server.unhandled_msgs()); |
| 405 #endif | 410 #endif |
| 406 } | 411 } |
| 407 | 412 |
| 408 } // namespace | 413 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 57783006:
Revert https://src.chromium.org/viewvc/chrome?view=rev&revision=231330 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src