Base: Remove Receive() from ScopedHandle.

In general, the OS API contract doesn't guarantee that output variables are
not modified on failure, so a Reeceive pattern is fundamentally insecure.

BUG=318531
TEST=current tests

tbr'ing owners for the consumers.

TBR=jvoung@chromium.org, thakis@chromium.org, sergeyu@chromium.org, grt@chromium.org, gene@chromium.org, youngki@chromium.org

Review URL: https://codereview.chromium.org/71013004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237459 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 2 deletions

diff --git a/remoting/host/win/chromoting_module.cc b/remoting/host/win/chromoting_module.cc
index 724ce7e..630c6c2 100644
--- a/remoting/host/win/chromoting_module.cc
+++ b/remoting/host/win/chromoting_module.cc
@@ -42,12 +42,13 @@ base::LazyInstance<scoped_refptr<AutoThreadTaskRunner> > g_module_task_runner =
 // Lowers the process integrity level such that it does not exceed |max_level|.
 // |max_level| is expected to be one of SECURITY_MANDATORY_XXX constants.
 bool LowerProcessIntegrityLevel(DWORD max_level) {
-  base::win::ScopedHandle token;
+  HANDLE temp_handle;
   if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_WRITE,
-                        token.Receive())) {
+                        &temp_handle)) {
     PLOG(ERROR) << "OpenProcessToken() failed";
     return false;
   }
+  base::win::ScopedHandle token(temp_handle);
 
   TypedBuffer<TOKEN_MANDATORY_LABEL> mandatory_label;
   DWORD length = 0;