summaryrefslogtreecommitdiffstats
path: root/sandbox
diff options
context:
space:
mode:
authorcpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-04-03 23:45:42 +0000
committercpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-04-03 23:45:42 +0000
commit34682d662be8615551cf7ea19c9012f8b60bd9be (patch)
treea04e55d6828130c1e4582807de202d6e54d5bd03 /sandbox
parent95f88a2c7d11b26af103940af8bb2124d1ee9a05 (diff)
downloadchromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.zip
chromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.tar.gz
chromium_src-34682d662be8615551cf7ea19c9012f8b60bd9be.tar.bz2
Fix race in CrossCallParamsEx::CreateFromBuffer
Credit goes to Willem Pinckaers / Matasano No unittest because to trigger this codepath you need to win a very thight race. BUG=121726 TEST=none Review URL: https://chromiumcodereview.appspot.com/9965117 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@130505 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
-rw-r--r--sandbox/src/crosscall_server.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/sandbox/src/crosscall_server.cc b/sandbox/src/crosscall_server.cc
index 3ed99c8..7c4542c 100644
--- a/sandbox/src/crosscall_server.cc
+++ b/sandbox/src/crosscall_server.cc
@@ -138,6 +138,12 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem);
memcpy(backing_mem, call_params, declared_size);
+ // Check params count in case it got changed right before the memcpy.
+ if (copied_params->GetParamsCount() != param_count) {
+ delete [] backing_mem;
+ return NULL;
+ }
+
} __except(EXCEPTION_EXECUTE_HANDLER) {
// In case of a windows exception we know it occurred while touching the
// untrusted buffer so we bail out as is.
generated by cgit v1.1 at 2025-02-06 15:56:52 +0000