Mojo: Initialize MessageInTransit::Header::unused.

(This avoids an uninitialized read (e.g., in sending the message), which
potentially leaks data.)

R=yzshen@chromium.org
BUG=370145

Review URL: https://codereview.chromium.org/264093006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@268326 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 3 insertions, 0 deletions

diff --git a/mojo/system/message_in_transit.cc b/mojo/system/message_in_transit.cc
index b38ea12..3235a75 100644
--- a/mojo/system/message_in_transit.cc
+++ b/mojo/system/message_in_transit.cc
@@ -93,6 +93,7 @@ MessageInTransit::MessageInTransit(Type type,
   header()->source_id = kInvalidEndpointId;
   header()->destination_id = kInvalidEndpointId;
   header()->num_bytes = num_bytes;
+  header()->unused = 0;
   // Note: If dispatchers are subsequently attached, then |total_size| will have
   // to be adjusted.
   UpdateTotalSize();
diff --git a/mojo/system/transport_data.cc b/mojo/system/transport_data.cc
index 634452f..789393f 100644
--- a/mojo/system/transport_data.cc
+++ b/mojo/system/transport_data.cc
@@ -106,6 +106,7 @@ TransportData::TransportData(scoped_ptr<DispatcherVector> dispatchers,
   Header* header = reinterpret_cast<Header*>(buffer_.get());
   header->num_handles = static_cast<uint32_t>(num_handles);
   // TODO(vtl): platform_handle_table_offset and num_platform_handles
+  // (Okay to not set |unused| since we cleared the entire buffer.)
 
   HandleTableEntry* handle_table = reinterpret_cast<HandleTableEntry*>(
       buffer_.get() + handle_table_start_offset);
@@ -131,6 +132,7 @@ TransportData::TransportData(scoped_ptr<DispatcherVector> dispatchers,
       handle_table[i].type = static_cast<int32_t>(dispatcher->GetType());
       handle_table[i].offset = static_cast<uint32_t>(current_offset);
       handle_table[i].size = static_cast<uint32_t>(actual_size);
+      // (Okay to not set |unused| since we cleared the entire buffer.)
 
 #if DCHECK_IS_ON
       DCHECK_LE(actual_size, all_max_sizes[i]);