Private Pepper extension for Flapper to allow TCP connections to be made

(from inside the renderer sandbox).

(Only enabled on ChromeOS, since it opens a hole in the renderer. This should be
revisited, with controls tightened, once Flapper runs out of process.)

BUG=none
TEST=none

Review URL: http://codereview.chromium.org/5098002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70687 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 515 insertions, 10 deletions

diff --git a/chrome/browser/DEPS b/chrome/browser/DEPS
index a052a2d..1d4653b 100644
--- a/chrome/browser/DEPS
+++ b/chrome/browser/DEPS
@@ -8,6 +8,7 @@ include_rules = [
   "+chrome/tools/profiles",  # For history unit tests.
   "+chrome/views",
   "+grit",  # For generated headers
+  "+ppapi/c",  # For various types.
   "+ppapi/proxy",
   "+rlz",
   "+sandbox/linux",
diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc
index d901a77..3b97c4b 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.cc
+++ b/chrome/browser/renderer_host/browser_render_process_host.cc
@@ -54,6 +54,7 @@
 #include "chrome/browser/renderer_host/database_message_filter.h"
 #include "chrome/browser/renderer_host/file_utilities_message_filter.h"
 #include "chrome/browser/renderer_host/pepper_file_message_filter.h"
+#include "chrome/browser/renderer_host/pepper_message_filter.h"
 #include "chrome/browser/renderer_host/render_message_filter.h"
 #include "chrome/browser/renderer_host/render_view_host.h"
 #include "chrome/browser/renderer_host/render_view_host_delegate.h"
@@ -452,6 +453,7 @@ void BrowserRenderProcessHost::CreateMessageFilters() {
       GeolocationDispatcherHost::New(
           id(), profile()->GetGeolocationPermissionContext()));
   channel_->AddFilter(new PepperFileMessageFilter(id(), profile()));
+  channel_->AddFilter(new PepperMessageFilter(profile()));
   channel_->AddFilter(new speech_input::SpeechInputDispatcherHost(id()));
   channel_->AddFilter(
       new SearchProviderInstallStateMessageFilter(id(), profile()));
diff --git a/chrome/browser/renderer_host/pepper_message_filter.cc b/chrome/browser/renderer_host/pepper_message_filter.cc
new file mode 100644
index 0000000..62464af
--- /dev/null
+++ b/chrome/browser/renderer_host/pepper_message_filter.cc
@@ -0,0 +1,285 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/renderer_host/pepper_message_filter.h"
+
+#include "base/basictypes.h"
+#include "base/process_util.h"
+#include "base/threading/worker_pool.h"
+#include "chrome/browser/browser_thread.h"
+#include "chrome/browser/net/chrome_url_request_context.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/renderer_host/browser_render_process_host.h"
+#include "chrome/common/render_messages.h"
+#include "net/base/address_list.h"
+#include "net/base/host_port_pair.h"
+#include "net/base/host_resolver.h"
+#include "net/url_request/url_request_context.h"
+#include "webkit/plugins/ppapi/ppb_flash_impl.h"
+
+#if defined(ENABLE_FLAPPER_HACKS)
+#include <netdb.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+// Make sure the storage in |PP_Flash_NetAddress| is big enough. (Do it here
+// since the data is opaque elsewhere.)
+COMPILE_ASSERT(sizeof(reinterpret_cast<PP_Flash_NetAddress*>(0)->data) >=
+               sizeof(sockaddr_storage), PP_Flash_NetAddress_data_too_small);
+#endif  // ENABLE_FLAPPER_HACKS
+
+const PP_Flash_NetAddress kInvalidNetAddress = { 0 };
+
+PepperMessageFilter::PepperMessageFilter(Profile* profile)
+    : profile_(profile) {
+}
+
+bool PepperMessageFilter::OnMessageReceived(const IPC::Message& msg,
+                                            bool* message_was_ok) {
+#if defined(ENABLE_FLAPPER_HACKS)
+  bool handled = true;
+  IPC_BEGIN_MESSAGE_MAP_EX(PepperMessageFilter, msg, *message_was_ok)
+    IPC_MESSAGE_HANDLER(ViewHostMsg_PepperConnectTcp, OnPepperConnectTcp)
+    IPC_MESSAGE_HANDLER(ViewHostMsg_PepperConnectTcpAddress,
+                        OnPepperConnectTcpAddress)
+    IPC_MESSAGE_UNHANDLED(handled = false)
+  IPC_END_MESSAGE_MAP_EX()
+  return handled;
+#else
+  return false;
+#endif  // ENABLE_FLAPPER_HACKS
+}
+
+#if defined(ENABLE_FLAPPER_HACKS)
+
+namespace {
+
+bool ValidateNetAddress(const PP_Flash_NetAddress& addr) {
+  if (addr.size < sizeof(sa_family_t))
+    return false;
+
+  // TODO(viettrungluu): more careful validation?
+  // Just do a size check for AF_INET.
+  if (reinterpret_cast<const sockaddr*>(addr.data)->sa_family == AF_INET &&
+      addr.size >= sizeof(sockaddr_in))
+    return true;
+
+  // Ditto for AF_INET6.
+  if (reinterpret_cast<const sockaddr*>(addr.data)->sa_family == AF_INET6 &&
+      addr.size >= sizeof(sockaddr_in6))
+    return true;
+
+  // Reject everything else.
+  return false;
+}
+
+PP_Flash_NetAddress SockaddrToNetAddress(const struct sockaddr* sa,
+                                         socklen_t sa_length) {
+  PP_Flash_NetAddress addr;
+  CHECK_LE(sa_length, sizeof(addr.data));
+  addr.size = sa_length;
+  memcpy(addr.data, sa, addr.size);
+  return addr;
+}
+
+int ConnectTcpSocket(const PP_Flash_NetAddress& addr,
+                     PP_Flash_NetAddress* local_addr_out,
+                     PP_Flash_NetAddress* remote_addr_out) {
+  *local_addr_out = kInvalidNetAddress;
+  *remote_addr_out = kInvalidNetAddress;
+
+  const struct sockaddr* sa =
+      reinterpret_cast<const struct sockaddr*>(addr.data);
+  socklen_t sa_len = addr.size;
+  int fd = socket(sa->sa_family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    return -1;
+  if (connect(fd, sa, sa_len) != 0) {
+    close(fd);
+    return -1;
+  }
+
+  // Get the local address.
+  socklen_t local_length = sizeof(local_addr_out->data);
+  if (getsockname(fd, reinterpret_cast<struct sockaddr*>(local_addr_out->data),
+                  &local_length) == -1 ||
+      local_length > sizeof(local_addr_out->data)) {
+    close(fd);
+    return -1;
+  }
+
+  // The remote address is just the address we connected to.
+  *remote_addr_out = addr;
+
+  return fd;
+}
+
+}  // namespace
+
+class PepperMessageFilter::LookupRequest {
+ public:
+  LookupRequest(PepperMessageFilter* pepper_message_filter,
+                net::HostResolver* resolver,
+                int routing_id,
+                int request_id,
+                const net::HostResolver::RequestInfo& request_info)
+      : ALLOW_THIS_IN_INITIALIZER_LIST(
+            net_callback_(this, &LookupRequest::OnLookupFinished)),
+        pepper_message_filter_(pepper_message_filter),
+        resolver_(resolver),
+        routing_id_(routing_id),
+        request_id_(request_id),
+        request_info_(request_info) {
+  }
+
+  void Start() {
+    int result = resolver_.Resolve(request_info_, &addresses_, &net_callback_,
+                                   net::BoundNetLog());
+    if (result != net::ERR_IO_PENDING)
+      OnLookupFinished(result);
+  }
+
+ private:
+  void OnLookupFinished(int /*result*/) {
+    pepper_message_filter_->PepperConnectTcpLookupFinished(
+        routing_id_, request_id_, addresses_);
+    delete this;
+  }
+
+  // HostResolver will call us using this callback when resolution is complete.
+  net::CompletionCallbackImpl<LookupRequest> net_callback_;
+
+  PepperMessageFilter* pepper_message_filter_;
+  net::SingleRequestHostResolver resolver_;
+
+  int routing_id_;
+  int request_id_;
+  net::HostResolver::RequestInfo request_info_;
+
+  net::AddressList addresses_;
+
+  DISALLOW_COPY_AND_ASSIGN(LookupRequest);
+};
+
+void PepperMessageFilter::OnPepperConnectTcp(
+    int routing_id,
+    int request_id,
+    const std::string& host,
+    uint16 port) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  URLRequestContext* req_context =
+      profile_->GetRequestContext()->GetURLRequestContext();
+  net::HostResolver::RequestInfo request_info(net::HostPortPair(host, port));
+
+  // The lookup request will delete itself on completion.
+  LookupRequest* lookup_request =
+      new LookupRequest(this, req_context->host_resolver(),
+                        routing_id, request_id, request_info);
+  lookup_request->Start();
+}
+
+void PepperMessageFilter::OnPepperConnectTcpAddress(
+    int routing_id,
+    int request_id,
+    const PP_Flash_NetAddress& addr) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  // Validate the address and then continue (doing |connect()|) on a worker
+  // thread.
+  if (!ValidateNetAddress(addr) ||
+      !base::WorkerPool::PostTask(FROM_HERE,
+           NewRunnableMethod(
+               this,
+               &PepperMessageFilter::PepperConnectTcpAddressOnWorkerThread,
+               routing_id, request_id, addr),
+           true)) {
+    SendPepperConnectTcpACKError(routing_id, request_id);
+  }
+}
+
+bool PepperMessageFilter::SendPepperConnectTcpACKError(int routing_id,
+                                                       int request_id) {
+  return Send(new ViewMsg_PepperConnectTcpACK(
+              routing_id, request_id,
+              IPC::InvalidPlatformFileForTransit(),
+              kInvalidNetAddress, kInvalidNetAddress));
+}
+
+void PepperMessageFilter::PepperConnectTcpLookupFinished(
+    int routing_id,
+    int request_id,
+    const net::AddressList& addresses) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  // If the lookup returned addresses, continue (doing |connect()|) on a worker
+  // thread.
+  if (!addresses.head() ||
+      !base::WorkerPool::PostTask(FROM_HERE,
+           NewRunnableMethod(
+               this,
+               &PepperMessageFilter::PepperConnectTcpOnWorkerThread,
+               routing_id, request_id, addresses),
+           true)) {
+    SendPepperConnectTcpACKError(routing_id, request_id);
+  }
+}
+
+void PepperMessageFilter::PepperConnectTcpOnWorkerThread(
+    int routing_id,
+    int request_id,
+    net::AddressList addresses) {
+  DCHECK(!MessageLoop::current());  // Check we are on a worker thread.
+
+  IPC::PlatformFileForTransit socket_for_transit =
+      IPC::InvalidPlatformFileForTransit();
+  PP_Flash_NetAddress local_addr = kInvalidNetAddress;
+  PP_Flash_NetAddress remote_addr = kInvalidNetAddress;
+
+  for (const struct addrinfo* ai = addresses.head(); ai; ai = ai->ai_next) {
+    PP_Flash_NetAddress addr = SockaddrToNetAddress(ai->ai_addr,
+                                                    ai->ai_addrlen);
+    int fd = ConnectTcpSocket(addr, &local_addr, &remote_addr);
+    if (fd != -1) {
+      socket_for_transit = base::FileDescriptor(fd, true);
+      break;
+    }
+  }
+
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+      NewRunnableMethod(
+          this, &PepperMessageFilter::Send,
+          new ViewMsg_PepperConnectTcpACK(
+              routing_id, request_id,
+              socket_for_transit, local_addr, remote_addr)));
+}
+
+// TODO(vluu): Eliminate duplication between this and
+// |PepperConnectTcpOnWorkerThread()|.
+void PepperMessageFilter::PepperConnectTcpAddressOnWorkerThread(
+    int routing_id,
+    int request_id,
+    PP_Flash_NetAddress addr) {
+  DCHECK(!MessageLoop::current());  // Check we are on a worker thread.
+
+  IPC::PlatformFileForTransit socket_for_transit =
+      IPC::InvalidPlatformFileForTransit();
+  PP_Flash_NetAddress local_addr = kInvalidNetAddress;
+  PP_Flash_NetAddress remote_addr = kInvalidNetAddress;
+
+  int fd = ConnectTcpSocket(addr, &local_addr, &remote_addr);
+  if (fd != -1)
+    socket_for_transit = base::FileDescriptor(fd, true);
+
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+      NewRunnableMethod(
+          this, &PepperMessageFilter::Send,
+          new ViewMsg_PepperConnectTcpACK(
+              routing_id, request_id,
+              socket_for_transit, local_addr, remote_addr)));
+}
+
+#endif  // ENABLE_FLAPPER_HACKS
diff --git a/chrome/browser/renderer_host/pepper_message_filter.h b/chrome/browser/renderer_host/pepper_message_filter.h
new file mode 100644
index 0000000..ec36c08
--- /dev/null
+++ b/chrome/browser/renderer_host/pepper_message_filter.h
@@ -0,0 +1,67 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_RENDERER_HOST_PEPPER_MESSAGE_FILTER_H_
+#define CHROME_BROWSER_RENDERER_HOST_PEPPER_MESSAGE_FILTER_H_
+#pragma once
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/process.h"
+#include "chrome/browser/browser_message_filter.h"
+#include "ipc/ipc_channel_proxy.h"
+#include "ppapi/c/private/ppb_flash.h"
+
+class Profile;
+
+namespace net {
+class AddressList;
+}
+
+class PepperMessageFilter : public BrowserMessageFilter {
+ public:
+  explicit PepperMessageFilter(Profile* profile);
+
+ private:
+  // BrowserMessageFilter methods.
+  virtual bool OnMessageReceived(const IPC::Message& message,
+                                 bool* message_was_ok);
+
+#if defined(ENABLE_FLAPPER_HACKS)
+  // Message handlers.
+  void OnPepperConnectTcp(int routing_id,
+                          int request_id,
+                          const std::string& host,
+                          uint16 port);
+  void OnPepperConnectTcpAddress(int routing_id,
+                                 int request_id,
+                                 const PP_Flash_NetAddress& address);
+
+  // |Send()| a |ViewMsg_PepperConnectTcpACK|, which reports an error.
+  bool SendPepperConnectTcpACKError(int routing_id,
+                                    int request_id);
+
+  // Used by |OnPepperConnectTcp()| (below).
+  class LookupRequest;
+  friend class LookupRequest;
+
+  // Continuation of |OnPepperConnectTcp()|.
+  void PepperConnectTcpLookupFinished(int routing_id,
+                                      int request_id,
+                                      const net::AddressList& addresses);
+  void PepperConnectTcpOnWorkerThread(int routing_id,
+                                      int request_id,
+                                      net::AddressList addresses);
+
+  // Continuation of |OnPepperConnectTcpAddress()|.
+  void PepperConnectTcpAddressOnWorkerThread(int routing_id,
+                                             int request_id,
+                                             PP_Flash_NetAddress addr);
+#endif  // ENABLE_FLAPPER_HACKS
+
+  Profile* profile_;
+};
+
+#endif  // CHROME_BROWSER_RENDERER_HOST_PEPPER_MESSAGE_FILTER_H_
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 1c62111..e01b64e 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -2166,6 +2166,8 @@
         'browser/renderer_host/offline_resource_handler.h',
         'browser/renderer_host/pepper_file_message_filter.cc',
         'browser/renderer_host/pepper_file_message_filter.h',
+        'browser/renderer_host/pepper_message_filter.cc',
+        'browser/renderer_host/pepper_message_filter.h',
         'browser/renderer_host/redirect_to_file_resource_handler.cc',
         'browser/renderer_host/redirect_to_file_resource_handler.h',
         'browser/renderer_host/render_message_filter.cc',
diff --git a/chrome/common/DEPS b/chrome/common/DEPS
index a4256b3..cd9bd3f 100644
--- a/chrome/common/DEPS
+++ b/chrome/common/DEPS
@@ -5,6 +5,7 @@ include_rules = [
   "+libxml",
   "+media/audio",
   "+media/base",
+  "+ppapi/c",  # For various types.
   "+remoting/client/plugin",
   "+sandbox/src",
   "+skia",
diff --git a/chrome/common/render_messages.cc b/chrome/common/render_messages.cc
index c865a68..2519c7f 100644
--- a/chrome/common/render_messages.cc
+++ b/chrome/common/render_messages.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,6 +17,7 @@
 #include "media/audio/audio_buffers_state.h"
 #include "net/base/upload_data.h"
 #include "net/http/http_response_headers.h"
+#include "ppapi/c/private/ppb_flash.h"
 #include "third_party/WebKit/WebKit/chromium/public/WebCompositionUnderline.h"
 #include "third_party/skia/include/core/SkBitmap.h"
 #include "webkit/appcache/appcache_interfaces.h"
@@ -39,7 +40,6 @@
 
 namespace IPC {
 
-
 template<>
 struct ParamTraits<WebMenuItem::Type> {
   typedef WebMenuItem::Type param_type;
@@ -1236,4 +1236,33 @@ void ParamTraits<speech_input::SpeechInputResultItem>::Log(const param_type& p,
   l->append(")");
 }
 
+void ParamTraits<PP_Flash_NetAddress>::Write(Message* m, const param_type& p) {
+  WriteParam(m, p.size);
+  m->WriteBytes(p.data, p.size);
+}
+
+bool ParamTraits<PP_Flash_NetAddress>::Read(const Message* m,
+                                            void** iter,
+                                            param_type* p) {
+  uint16 size;
+  if (!ReadParam(m, iter, &size))
+    return false;
+  if (size > sizeof(p->data))
+    return false;
+  p->size = size;
+
+  const char* data;
+  if (!m->ReadBytes(iter, &data, size))
+    return false;
+  memcpy(p->data, data, size);
+  return true;
+}
+
+void ParamTraits<PP_Flash_NetAddress>::Log(const param_type& p,
+                                           std::string* l) {
+  l->append("<PP_Flash_NetAddress (");
+  LogParam(p.size, l);
+  l->append(" bytes)>");
+}
+
 }  // namespace IPC
diff --git a/chrome/common/render_messages.h b/chrome/common/render_messages.h
index e06a667..258734a 100644
--- a/chrome/common/render_messages.h
+++ b/chrome/common/render_messages.h
@@ -61,7 +61,6 @@ struct ResourceLoadTimingInfo;
 struct ResourceResponseInfo;
 struct WebAccessibility;
 struct WebCookie;
-struct WebAccessibility;
 }
 
 namespace webkit {
@@ -79,6 +78,7 @@ class SkBitmap;
 class URLPattern;
 struct ContextMenuParams;
 struct EditCommand;
+struct PP_Flash_NetAddress;
 struct ResourceResponseHead;
 struct SyncLoadResult;
 struct RendererPreferences;
@@ -552,6 +552,14 @@ struct ParamTraits<speech_input::SpeechInputResultItem> {
   static void Log(const param_type& p, std::string* l);
 };
 
+template <>
+struct ParamTraits<PP_Flash_NetAddress> {
+  typedef PP_Flash_NetAddress param_type;
+  static void Write(Message* m, const param_type& p);
+  static bool Read(const Message* m, void** iter, param_type* p);
+  static void Log(const param_type& p, std::string* l);
+};
+
 }  // namespace IPC
 
 #include "chrome/common/render_messages_internal.h"
diff --git a/chrome/common/render_messages_internal.h b/chrome/common/render_messages_internal.h
index 999a72f..ce0851d 100644
--- a/chrome/common/render_messages_internal.h
+++ b/chrome/common/render_messages_internal.h
@@ -51,6 +51,7 @@ typedef std::map<std::string, std::string> SubstitutionMap;
 
 class Value;
 class GPUInfo;
+struct PP_Flash_NetAddress;
 class SkBitmap;
 struct ThumbnailScore;
 class WebCursor;
@@ -1075,6 +1076,13 @@ IPC_MESSAGE_ROUTED1(ViewMsg_SelectPopupMenuItem,
 IPC_MESSAGE_CONTROL1(ViewMsg_SpeechInput_SetFeatureEnabled,
                      bool /* enabled */)
 
+// The response to ViewHostMsg_PepperConnectTcp(Address).
+IPC_MESSAGE_ROUTED4(ViewMsg_PepperConnectTcpACK,
+                    int /* request_id */,
+                    IPC::PlatformFileForTransit /* socket */,
+                    PP_Flash_NetAddress /* local_addr */,
+                    PP_Flash_NetAddress /* remote_addr */)
+
 //-----------------------------------------------------------------------------
 // TabContents messages
 // These are messages sent from the renderer to the browser process.
@@ -2630,3 +2638,16 @@ IPC_MESSAGE_ROUTED2(ViewHostMsg_ScriptEvalResponse,
 // Updates the content restrictions, i.e. to disable print/copy.
 IPC_MESSAGE_ROUTED1(ViewHostMsg_UpdateContentRestrictions,
                     int /* restrictions */)
+
+// Pepper-related messages -----------------------------------------------------
+
+IPC_MESSAGE_CONTROL4(ViewHostMsg_PepperConnectTcp,
+                     int /* routing_id */,
+                     int /* request_id */,
+                     std::string /* host */,
+                     uint16 /* port */)
+
+IPC_MESSAGE_CONTROL3(ViewHostMsg_PepperConnectTcpAddress,
+                     int /* routing_id */,
+                     int /* request_id */,
+                     PP_Flash_NetAddress /* addr */)
diff --git a/chrome/renderer/pepper_plugin_delegate_impl.cc b/chrome/renderer/pepper_plugin_delegate_impl.cc
index 31c5183..eba798a 100644
--- a/chrome/renderer/pepper_plugin_delegate_impl.cc
+++ b/chrome/renderer/pepper_plugin_delegate_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -35,6 +35,7 @@
 #include "grit/locale_settings.h"
 #include "ipc/ipc_channel_handle.h"
 #include "ppapi/c/dev/pp_video_dev.h"
+#include "ppapi/c/private/ppb_flash.h"
 #include "ppapi/proxy/host_dispatcher.h"
 #include "third_party/WebKit/WebKit/chromium/public/WebFileChooserCompletion.h"
 #include "third_party/WebKit/WebKit/chromium/public/WebFileChooserParams.h"
@@ -45,6 +46,7 @@
 #include "webkit/plugins/ppapi/ppb_file_io_impl.h"
 #include "webkit/plugins/ppapi/plugin_module.h"
 #include "webkit/plugins/ppapi/ppapi_plugin_instance.h"
+#include "webkit/plugins/ppapi/ppb_flash_impl.h"
 
 #if defined(OS_MACOSX)
 #include "chrome/common/render_messages.h"
@@ -767,6 +769,7 @@ base::PlatformFileError PepperPluginDelegateImpl::QueryModuleLocalFile(
   }
   return error;
 }
+
 base::PlatformFileError PepperPluginDelegateImpl::GetModuleLocalDirContents(
       const std::string& module_name,
       const FilePath& path,
@@ -789,6 +792,50 @@ PepperPluginDelegateImpl::GetFileThreadMessageLoopProxy() {
   return RenderThread::current()->GetFileThreadMessageLoopProxy();
 }
 
+int32_t PepperPluginDelegateImpl::ConnectTcp(
+    webkit::ppapi::PPB_Flash_NetConnector_Impl* connector,
+    const char* host,
+    uint16_t port) {
+  int request_id = pending_connect_tcps_.Add(
+      new scoped_refptr<webkit::ppapi::PPB_Flash_NetConnector_Impl>(connector));
+  IPC::Message* msg =
+      new ViewHostMsg_PepperConnectTcp(render_view_->routing_id(),
+                                       request_id,
+                                       std::string(host),
+                                       port);
+  if (!render_view_->Send(msg))
+    return PP_ERROR_FAILED;
+
+  return PP_ERROR_WOULDBLOCK;
+}
+
+int32_t PepperPluginDelegateImpl::ConnectTcpAddress(
+    webkit::ppapi::PPB_Flash_NetConnector_Impl* connector,
+    const struct PP_Flash_NetAddress* addr) {
+  int request_id = pending_connect_tcps_.Add(
+      new scoped_refptr<webkit::ppapi::PPB_Flash_NetConnector_Impl>(connector));
+  IPC::Message* msg =
+      new ViewHostMsg_PepperConnectTcpAddress(render_view_->routing_id(),
+                                              request_id,
+                                              *addr);
+  if (!render_view_->Send(msg))
+    return PP_ERROR_FAILED;
+
+  return PP_ERROR_WOULDBLOCK;
+}
+
+void PepperPluginDelegateImpl::OnConnectTcpACK(
+    int request_id,
+    base::PlatformFile socket,
+    const PP_Flash_NetAddress& local_addr,
+    const PP_Flash_NetAddress& remote_addr) {
+  scoped_refptr<webkit::ppapi::PPB_Flash_NetConnector_Impl> connector =
+      *pending_connect_tcps_.Lookup(request_id);
+  pending_connect_tcps_.Remove(request_id);
+
+  connector->CompleteConnectTcp(socket, local_addr, remote_addr);
+}
+
 webkit::ppapi::FullscreenContainer*
 PepperPluginDelegateImpl::CreateFullscreenContainer(
     webkit::ppapi::PluginInstance* instance) {
diff --git a/chrome/renderer/pepper_plugin_delegate_impl.h b/chrome/renderer/pepper_plugin_delegate_impl.h
index cd732fe..b4d7424 100644
--- a/chrome/renderer/pepper_plugin_delegate_impl.h
+++ b/chrome/renderer/pepper_plugin_delegate_impl.h
@@ -141,6 +141,19 @@ class PepperPluginDelegateImpl
       const FilePath& path,
       webkit::ppapi::DirContents* contents);
   virtual scoped_refptr<base::MessageLoopProxy> GetFileThreadMessageLoopProxy();
+  virtual int32_t ConnectTcp(
+      webkit::ppapi::PPB_Flash_NetConnector_Impl* connector,
+      const char* host,
+      uint16_t port);
+  virtual int32_t ConnectTcpAddress(
+      webkit::ppapi::PPB_Flash_NetConnector_Impl* connector,
+      const struct PP_Flash_NetAddress* addr);
+  // This is the completion for both |ConnectTcp()| and |ConnectTcpAddress()|.
+  void OnConnectTcpACK(
+      int request_id,
+      base::PlatformFile socket,
+      const PP_Flash_NetAddress& local_addr,
+      const PP_Flash_NetAddress& remote_addr);
   virtual webkit::ppapi::FullscreenContainer*
       CreateFullscreenContainer(
           webkit::ppapi::PluginInstance* instance);
@@ -157,9 +170,14 @@ class PepperPluginDelegateImpl
 
   std::set<webkit::ppapi::PluginInstance*> active_instances_;
 
+  // TODO(viettrungluu): Get rid of |id_generator_| -- just use |IDMap::Add()|.
+  // Rename |messages_waiting_replies_| (to specify async open file).
   int id_generator_;
   IDMap<AsyncOpenFileCallback> messages_waiting_replies_;
 
+  IDMap<scoped_refptr<webkit::ppapi::PPB_Flash_NetConnector_Impl>,
+        IDMapOwnPointer> pending_connect_tcps_;
+
   DISALLOW_COPY_AND_ASSIGN(PepperPluginDelegateImpl);
 };
 
diff --git a/chrome/renderer/render_view.cc b/chrome/renderer/render_view.cc
index 791476d..e9b6e18 100644
--- a/chrome/renderer/render_view.cc
+++ b/chrome/renderer/render_view.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -109,6 +109,7 @@
 #include "net/base/escape.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_util.h"
+#include "ppapi/c/private/ppb_flash.h"
 #include "skia/ext/bitmap_platform_device.h"
 #include "skia/ext/image_operations.h"
 #include "third_party/WebKit/WebKit/chromium/public/WebAccessibilityCache.h"
@@ -1093,6 +1094,9 @@ bool RenderView::OnMessageReceived(const IPC::Message& message) {
     IPC_MESSAGE_HANDLER(ViewMsg_AccessibilityNotifications_ACK,
                         OnAccessibilityNotificationsAck)
     IPC_MESSAGE_HANDLER(ViewMsg_AsyncOpenFile_ACK, OnAsyncFileOpened)
+#if defined(ENABLE_FLAPPER_HACKS)
+    IPC_MESSAGE_HANDLER(ViewMsg_PepperConnectTcpACK, OnConnectTcpACK)
+#endif
 #if defined(OS_MACOSX)
     IPC_MESSAGE_HANDLER(ViewMsg_SelectPopupMenuItem, OnSelectPopupMenuItem)
 #endif
@@ -5752,3 +5756,17 @@ void RenderView::AddErrorToRootConsole(const string16& message) {
         WebConsoleMessage(WebConsoleMessage::LevelError, message));
   }
 }
+
+#if defined(ENABLE_FLAPPER_HACKS)
+void RenderView::OnConnectTcpACK(
+    int request_id,
+    IPC::PlatformFileForTransit socket_for_transit,
+    const PP_Flash_NetAddress& local_addr,
+    const PP_Flash_NetAddress& remote_addr) {
+  pepper_delegate_.OnConnectTcpACK(
+      request_id,
+      IPC::PlatformFileForTransitToPlatformFile(socket_for_transit),
+      local_addr,
+      remote_addr);
+}
+#endif
diff --git a/chrome/renderer/render_view.h b/chrome/renderer/render_view.h
index 897a964..10d45cd 100644
--- a/chrome/renderer/render_view.h
+++ b/chrome/renderer/render_view.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -81,6 +81,7 @@ class SpeechInputDispatcher;
 class WebPluginDelegatePepper;
 class WebPluginDelegateProxy;
 struct ContextMenuMediaParams;
+struct PP_Flash_NetAddress;
 struct ThumbnailScore;
 struct ViewMsg_ClosePage_Params;
 struct ViewMsg_Navigate_Params;
@@ -834,6 +835,9 @@ class RenderView : public RenderWidget,
                              const WebKit::WebConsoleMessage::Level&);
   void OnAdvanceToNextMisspelling();
   void OnAllowScriptToClose(bool script_can_close);
+  void OnAsyncFileOpened(base::PlatformFileError error_code,
+                         IPC::PlatformFileForTransit file_for_transit,
+                         int message_id);
   void OnAutocompleteSuggestionsReturned(
       int query_id,
       const std::vector<string16>& suggestions,
@@ -849,6 +853,12 @@ class RenderView : public RenderWidget,
   void OnCancelDownload(int32 download_id);
   void OnClearFocusedNode();
   void OnClosePage(const ViewMsg_ClosePage_Params& params);
+#if defined(ENABLE_FLAPPER_HACKS)
+  void OnConnectTcpACK(int request_id,
+                       IPC::PlatformFileForTransit socket_for_transit,
+                       const PP_Flash_NetAddress& local_addr,
+                       const PP_Flash_NetAddress& remote_addr);
+#endif
   void OnCopy();
   void OnCopyImageAt(int x, int y);
 #if defined(OS_MACOSX)
@@ -978,10 +988,6 @@ class RenderView : public RenderWidget,
 #endif
   void OnZoom(PageZoom::Function function);
 
-  void OnAsyncFileOpened(base::PlatformFileError error_code,
-                         IPC::PlatformFileForTransit file_for_transit,
-                         int message_id);
-
   // Adding a new message handler? Please add it in alphabetical order above
   // and put it in the same position in the .cc file.