AppCache: Kill bad renderers when we receive bad IPC messages.

TEST=none
BUG=none

Review URL: http://codereview.chromium.org/273012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28849 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 100 insertions, 37 deletions

diff --git a/chrome/common/appcache/appcache_dispatcher_host.cc b/chrome/common/appcache/appcache_dispatcher_host.cc
index 0fac0cf..91a181f 100644
--- a/chrome/common/appcache/appcache_dispatcher_host.cc
+++ b/chrome/common/appcache/appcache_dispatcher_host.cc
@@ -4,17 +4,21 @@
 
 #include "chrome/common/appcache/appcache_dispatcher_host.h"
 
+#include "chrome/browser/renderer_host/browser_render_process_host.h"
 #include "chrome/common/appcache/chrome_appcache_service.h"
 #include "chrome/common/render_messages.h"
 
 AppCacheDispatcherHost::AppCacheDispatcherHost(
     ChromeAppCacheService* appcache_service)
-        : appcache_service_(appcache_service) {
+        : appcache_service_(appcache_service),
+          process_handle_(0) {
 }
 
 void AppCacheDispatcherHost::Initialize(IPC::Message::Sender* sender,
-                                        int process_id) {
+    int process_id, base::ProcessHandle process_handle) {
   DCHECK(sender);
+  DCHECK(process_handle && !process_handle_);
+  process_handle_ = process_handle;
   frontend_proxy_.set_sender(sender);
   if (appcache_service_.get()) {
     backend_impl_.Initialize(
@@ -30,7 +34,7 @@ void AppCacheDispatcherHost::Initialize(IPC::Message::Sender* sender,
 
 bool AppCacheDispatcherHost::OnMessageReceived(const IPC::Message& msg,
                                                bool *msg_ok) {
-  DCHECK(frontend_proxy_.sender());
+  DCHECK(process_handle_);
   *msg_ok = true;
   bool handled = true;
   IPC_BEGIN_MESSAGE_MAP_EX(AppCacheDispatcherHost, msg, *msg_ok)
@@ -46,82 +50,134 @@ bool AppCacheDispatcherHost::OnMessageReceived(const IPC::Message& msg,
   return handled;
 }
 
-// TODO(michaeln): Handle the invalid host id error condition, probably
-// terminate the child process.
-
 void AppCacheDispatcherHost::OnRegisterHost(int host_id) {
-  if (appcache_service_.get())
-    backend_impl_.RegisterHost(host_id);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.RegisterHost(host_id)) {
+      ReceivedBadMessage(AppCacheMsg_RegisterHost::ID);
+    }
+  }
 }
 
 void AppCacheDispatcherHost::OnUnregisterHost(int host_id) {
-  if (appcache_service_.get())
-    backend_impl_.UnregisterHost(host_id);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.UnregisterHost(host_id)) {
+      ReceivedBadMessage(AppCacheMsg_UnregisterHost::ID);
+    }
+  }
 }
 
 void AppCacheDispatcherHost::OnSelectCache(
     int host_id, const GURL& document_url,
     int64 cache_document_was_loaded_from,
     const GURL& opt_manifest_url) {
-  if (appcache_service_.get())
-    backend_impl_.SelectCache(host_id, document_url,
-                              cache_document_was_loaded_from,
-                              opt_manifest_url);
-  else
+  if (appcache_service_.get()) {
+    if (!backend_impl_.SelectCache(host_id, document_url,
+                                   cache_document_was_loaded_from,
+                                   opt_manifest_url)) {
+      ReceivedBadMessage(AppCacheMsg_SelectCache::ID);
+    }
+  } else {
     frontend_proxy_.OnCacheSelected(
         host_id, appcache::kNoCacheId, appcache::UNCACHED);
+  }
 }
 
 void AppCacheDispatcherHost::OnMarkAsForeignEntry(
     int host_id, const GURL& document_url,
     int64 cache_document_was_loaded_from) {
-  if (appcache_service_.get())
-    backend_impl_.MarkAsForeignEntry(host_id, document_url,
-                                     cache_document_was_loaded_from);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.MarkAsForeignEntry(host_id, document_url,
+                                          cache_document_was_loaded_from)) {
+      ReceivedBadMessage(AppCacheMsg_MarkAsForeignEntry::ID);
+    }
+  }
 }
 
 void AppCacheDispatcherHost::OnGetStatus(int host_id,
                                          IPC::Message* reply_msg) {
-  if (appcache_service_.get())
-    backend_impl_.GetStatusWithCallback(
-        host_id, get_status_callback_.get(), reply_msg);
-  else
-    GetStatusCallback(appcache::UNCACHED, reply_msg);
+  if (pending_reply_msg_.get()) {
+    ReceivedBadMessage(AppCacheMsg_GetStatus::ID);
+    delete reply_msg;
+    return;
+  }
+
+  pending_reply_msg_.reset(reply_msg);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.GetStatusWithCallback(
+            host_id, get_status_callback_.get(), reply_msg)) {
+      ReceivedBadMessage(AppCacheMsg_GetStatus::ID);
+    }
+    return;
+  }
+
+  GetStatusCallback(appcache::UNCACHED, reply_msg);
 }
 
 void AppCacheDispatcherHost::OnStartUpdate(int host_id,
                                            IPC::Message* reply_msg) {
-  if (appcache_service_.get())
-    backend_impl_.StartUpdateWithCallback(
-        host_id, start_update_callback_.get(), reply_msg);
-  else
-    StartUpdateCallback(false, reply_msg);
+  if (pending_reply_msg_.get()) {
+    ReceivedBadMessage(AppCacheMsg_StartUpdate::ID);
+    delete reply_msg;
+    return;
+  }
+
+  pending_reply_msg_.reset(reply_msg);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.StartUpdateWithCallback(
+            host_id, start_update_callback_.get(), reply_msg)) {
+      ReceivedBadMessage(AppCacheMsg_StartUpdate::ID);
+    }
+    return;
+  }
+
+  StartUpdateCallback(false, reply_msg);
 }
 
 void AppCacheDispatcherHost::OnSwapCache(int host_id,
                                          IPC::Message* reply_msg) {
-  if (appcache_service_.get())
-    backend_impl_.SwapCacheWithCallback(
-        host_id, swap_cache_callback_.get(), reply_msg);
-  else
-    SwapCacheCallback(false, reply_msg);
+  if (pending_reply_msg_.get()) {
+    ReceivedBadMessage(AppCacheMsg_SwapCache::ID);
+    delete reply_msg;
+    return;
+  }
+
+  pending_reply_msg_.reset(reply_msg);
+  if (appcache_service_.get()) {
+    if (!backend_impl_.SwapCacheWithCallback(
+            host_id, swap_cache_callback_.get(), reply_msg)) {
+      ReceivedBadMessage(AppCacheMsg_SwapCache::ID);
+    }
+    return;
+  }
+
+  SwapCacheCallback(false, reply_msg);
 }
 
 void AppCacheDispatcherHost::GetStatusCallback(
     appcache::Status status, void* param) {
   IPC::Message* reply_msg = reinterpret_cast<IPC::Message*>(param);
+  DCHECK(reply_msg == pending_reply_msg_.get());
   AppCacheMsg_GetStatus::WriteReplyParams(reply_msg, status);
-  frontend_proxy_.sender()->Send(reply_msg);
+  frontend_proxy_.sender()->Send(pending_reply_msg_.release());
 }
 
 void AppCacheDispatcherHost::StartUpdateCallback(bool result, void* param) {
   IPC::Message* reply_msg = reinterpret_cast<IPC::Message*>(param);
+  DCHECK(reply_msg == pending_reply_msg_.get());
   AppCacheMsg_StartUpdate::WriteReplyParams(reply_msg, result);
-  frontend_proxy_.sender()->Send(reply_msg);
+  frontend_proxy_.sender()->Send(pending_reply_msg_.release());
 }
 
 void AppCacheDispatcherHost::SwapCacheCallback(bool result, void* param) {
   IPC::Message* reply_msg = reinterpret_cast<IPC::Message*>(param);
+  DCHECK(reply_msg == pending_reply_msg_.get());
   AppCacheMsg_SwapCache::WriteReplyParams(reply_msg, result);
-  frontend_proxy_.sender()->Send(reply_msg);
+  frontend_proxy_.sender()->Send(pending_reply_msg_.release());
+}
+
+void AppCacheDispatcherHost::ReceivedBadMessage(uint16 msg_type) {
+  // TODO(michaeln): Consider gathering UMA stats
+  // http://code.google.com/p/chromium/issues/detail?id=24634
+  BrowserRenderProcessHost::BadMessageTerminateProcess(
+      msg_type, process_handle_);
 }
diff --git a/chrome/common/appcache/appcache_dispatcher_host.h b/chrome/common/appcache/appcache_dispatcher_host.h
index 47f245a..31adcdf 100644
--- a/chrome/common/appcache/appcache_dispatcher_host.h
+++ b/chrome/common/appcache/appcache_dispatcher_host.h
@@ -6,6 +6,8 @@
 #define CHROME_COMMON_APPCACHE_APPCACHE_DISPATCHER_HOST_H_
 
 #include <vector>
+
+#include "base/process.h"
 #include "base/ref_counted.h"
 #include "base/scoped_ptr.h"
 #include "chrome/common/appcache/appcache_frontend_proxy.h"
@@ -22,7 +24,8 @@ class AppCacheDispatcherHost {
  public:
   explicit AppCacheDispatcherHost(ChromeAppCacheService* appcache_service);
 
-  void Initialize(IPC::Message::Sender* sender, int process_id);
+  void Initialize(IPC::Message::Sender* sender, int process_id,
+                  base::ProcessHandle process_handle);
   bool OnMessageReceived(const IPC::Message& msg, bool* msg_is_ok);
 
   int process_id() const { return backend_impl_.process_id(); }
@@ -49,12 +52,16 @@ class AppCacheDispatcherHost {
   void StartUpdateCallback(bool result, void* param);
   void SwapCacheCallback(bool result, void* param);
 
+  void ReceivedBadMessage(uint16 msg_type);
+
   AppCacheFrontendProxy frontend_proxy_;
   appcache::AppCacheBackendImpl backend_impl_;
   scoped_refptr<ChromeAppCacheService> appcache_service_;
   scoped_ptr<appcache::GetStatusCallback> get_status_callback_;
   scoped_ptr<appcache::StartUpdateCallback> start_update_callback_;
   scoped_ptr<appcache::SwapCacheCallback> swap_cache_callback_;
+  base::ProcessHandle process_handle_;
+  scoped_ptr<IPC::Message> pending_reply_msg_;
 
   DISALLOW_COPY_AND_ASSIGN(AppCacheDispatcherHost);
 };