diff options
| author | jeremy@chromium.org <jeremy@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-26 10:04:05 +0000 |
|---|---|---|
| committer | jeremy@chromium.org <jeremy@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-26 10:04:05 +0000 |
| commit | 00a13d2d2808d3e6f055cd7ce9a83ebbfea37a68 (patch) | |
| tree | 3650cb2c9c1bb438a422f75412e9b58f99c5fb44 /ipc | |
| parent | 1677229632b3e4410030e280f637c7d7d5c5ca31 (diff) | |
| download | chromium_src-00a13d2d2808d3e6f055cd7ce9a83ebbfea37a68.zip chromium_src-00a13d2d2808d3e6f055cd7ce9a83ebbfea37a68.tar.gz chromium_src-00a13d2d2808d3e6f055cd7ce9a83ebbfea37a68.tar.bz2 | |
Better handle oversized IPC messages
* Shoot down oversized messages on the sending side so we fail faster.
* Add DCHECKs to identify oversized messages early.
The real fix for the underlying bug is not to send oversized messages in the first place, but the current state of things is that it takes a long while for the renderer to crash. This change should speed the failure up a bit.
BUG=26822
TEST=Chrome should continue to load web pages.
Review URL: http://codereview.chromium.org/546047
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37102 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/ipc_channel_posix.cc | 13 | ||||
| -rw-r--r-- | ipc/ipc_channel_win.cc | 14 | ||||
| -rw-r--r-- | ipc/ipc_sync_channel.cc | 9 |
3 files changed, 36 insertions, 0 deletions
diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc index 545ad0c..4e00964 100644 --- a/ipc/ipc_channel_posix.cc +++ b/ipc/ipc_channel_posix.cc @@ -734,6 +734,10 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { while (!output_queue_.empty()) { Message* msg = output_queue_.front(); + // Oversized messages should be rejected in Send(). + DCHECK_LE(msg->size(), kMaximumMessageSize) + << "Attempt to send oversized message"; + #if defined(OS_LINUX) scoped_ptr<Message> hello; if (remote_fd_pipe_ != -1 && @@ -884,6 +888,15 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { } bool Channel::ChannelImpl::Send(Message* message) { + if(message->size(), kMaximumMessageSize) { + LOG(ERROR) << "Attempt to send oversized message " + << message->size() + << " type=" + << message->type(); + Close(); + delete message; + return false; + } #ifdef IPC_MESSAGE_DEBUG_EXTRA DLOG(INFO) << "sending message @" << message << " on channel @" << this << " with type " << message->type() diff --git a/ipc/ipc_channel_win.cc b/ipc/ipc_channel_win.cc index 701bce8..788a2aa 100644 --- a/ipc/ipc_channel_win.cc +++ b/ipc/ipc_channel_win.cc @@ -77,6 +77,15 @@ void Channel::ChannelImpl::Close() { bool Channel::ChannelImpl::Send(Message* message) { DCHECK(thread_check_->CalledOnValidThread()); + if (message->size() > kMaximumMessageSize) { + LOG(ERROR) << "Attempt to send oversized message " + << message->size() + << " type=" + << message->type(); + Close(); + delete message; + return false; + } #ifdef IPC_MESSAGE_DEBUG_EXTRA DLOG(INFO) << "sending message @" << message << " on channel @" << this << " with type " << message->type() @@ -345,6 +354,11 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages( // Write to pipe... Message* m = output_queue_.front(); + + // Oversized messages should be rejected in Send(). + DCHECK_LE(m->size(), kMaximumMessageSize) + << "Attempt to send oversized message"; + BOOL ok = WriteFile(pipe_, m->data(), m->size(), diff --git a/ipc/ipc_sync_channel.cc b/ipc/ipc_sync_channel.cc index 3aa7a26..5a100cf 100644 --- a/ipc/ipc_sync_channel.cc +++ b/ipc/ipc_sync_channel.cc @@ -382,6 +382,15 @@ bool SyncChannel::Send(Message* message) { } bool SyncChannel::SendWithTimeout(Message* message, int timeout_ms) { + if(message->size() > IPC::Channel::kMaximumMessageSize) { + LOG(ERROR) << "Attempt to send oversized message " + << message->size() + << " type=" + << message->type(); + delete message; + return false; + } + if (!message->is_sync()) { ChannelProxy::Send(message); return true; |