diff options
author | cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-03 23:45:42 +0000 |
---|---|---|
committer | cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-03 23:45:42 +0000 |
commit | 34682d662be8615551cf7ea19c9012f8b60bd9be (patch) | |
tree | a04e55d6828130c1e4582807de202d6e54d5bd03 /sandbox/src | |
parent | 95f88a2c7d11b26af103940af8bb2124d1ee9a05 (diff) | |
download | chromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.zip chromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.tar.gz chromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.tar.bz2 |
Fix race in CrossCallParamsEx::CreateFromBuffer
Credit goes to Willem Pinckaers / Matasano
No unittest because to trigger this codepath you need
to win a very thight race.
BUG=121726
TEST=none
Review URL: https://chromiumcodereview.appspot.com/9965117
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@130505 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/src')
-rw-r--r-- | sandbox/src/crosscall_server.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sandbox/src/crosscall_server.cc b/sandbox/src/crosscall_server.cc index 3ed99c8..7c4542c 100644 --- a/sandbox/src/crosscall_server.cc +++ b/sandbox/src/crosscall_server.cc @@ -138,6 +138,12 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base, copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem); memcpy(backing_mem, call_params, declared_size); + // Check params count in case it got changed right before the memcpy. + if (copied_params->GetParamsCount() != param_count) { + delete [] backing_mem; + return NULL; + } + } __except(EXCEPTION_EXECUTE_HANDLER) { // In case of a windows exception we know it occurred while touching the // untrusted buffer so we bail out as is. |