diff options
| author | bratell <bratell@opera.com> | 2015-05-29 06:19:01 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-05-29 13:19:38 +0000 |
| commit | 5937d45677732c5fe9be1ea4d442e4e1ca61c23b (patch) | |
| tree | c0e628bda7d590596b2bf9a246dedcd10b719039 /ipc | |
| parent | 57ebc05f9c1c509cc91fa8fabda1af858e0b4317 (diff) | |
| download | chromium_src-5937d45677732c5fe9be1ea4d442e4e1ca61c23b.zip chromium_src-5937d45677732c5fe9be1ea4d442e4e1ca61c23b.tar.gz chromium_src-5937d45677732c5fe9be1ea4d442e4e1ca61c23b.tar.bz2 | |
Make IPC::Channel buffers stack based and secure against growth
Auxiliary IPC::Channel buffers have been permanently allocated
even though their use is very temporary. This moves those to
the stack instead to reflect their temporary nature and also
adds an assert to catch accidental out-of-control growth of
the buffer as happened recently.
BUG=484154
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1120343002
Cr-Commit-Position: refs/heads/master@{#331956}
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/ipc_channel_posix.cc | 6 | ||||
| -rw-r--r-- | ipc/ipc_channel_posix.h | 12 |
2 files changed, 7 insertions, 11 deletions
diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc index a76ef8a..b23f761 100644 --- a/ipc/ipc_channel_posix.cc +++ b/ipc/ipc_channel_posix.cc @@ -192,7 +192,6 @@ ChannelPosix::ChannelPosix(const IPC::ChannelHandle& channel_handle, pipe_name_(channel_handle.name), in_dtor_(false), must_unlink_(false) { - memset(input_cmsg_buf_, 0, sizeof(input_cmsg_buf_)); if (!CreatePipe(channel_handle)) { // The pipe may have been closed already. const char *modestr = (mode_ & MODE_SERVER_FLAG) ? "server" : "client"; @@ -754,11 +753,12 @@ ChannelPosix::ReadState ChannelPosix::ReadData( msg.msg_iov = &iov; msg.msg_iovlen = 1; - msg.msg_control = input_cmsg_buf_; + char input_cmsg_buf[kMaxReadFDBuffer]; + msg.msg_control = input_cmsg_buf; // recvmsg() returns 0 if the connection has closed or EAGAIN if no data // is waiting on the pipe. - msg.msg_controllen = sizeof(input_cmsg_buf_); + msg.msg_controllen = sizeof(input_cmsg_buf); *bytes_read = HANDLE_EINTR(recvmsg(pipe_.get(), &msg, MSG_DONTWAIT)); if (*bytes_read < 0) { diff --git a/ipc/ipc_channel_posix.h b/ipc/ipc_channel_posix.h index 4edb6a0..986eb8a 100644 --- a/ipc/ipc_channel_posix.h +++ b/ipc/ipc_channel_posix.h @@ -139,18 +139,14 @@ class IPC_EXPORT ChannelPosix : public Channel, MessageAttachmentSet::kMaxDescriptorsPerMessage; // Buffer size for file descriptors used for recvmsg. On Mac the CMSG macros - // don't seem to be constant so we have to pick a "large enough" value. + // are not constant so we have to pick a "large enough" padding for headers. #if defined(OS_MACOSX) - static const size_t kMaxReadFDBuffer = 1024; + static const size_t kMaxReadFDBuffer = 1024 + sizeof(int) * kMaxReadFDs; #else static const size_t kMaxReadFDBuffer = CMSG_SPACE(sizeof(int) * kMaxReadFDs); #endif - - // Temporary buffer used to receive the file descriptors from recvmsg. - // Code that writes into this should immediately read them out and save - // them to input_fds_, since this buffer will be re-used anytime we call - // recvmsg. - char input_cmsg_buf_[kMaxReadFDBuffer]; + static_assert(kMaxReadFDBuffer <= 8192, + "kMaxReadFDBuffer too big for a stack buffer"); // File descriptors extracted from messages coming off of the channel. The // handles may span messages and come off different channels from the message |