diff options
| author | cpu <cpu@chromium.org> | 2014-09-16 20:24:35 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-09-17 03:24:54 +0000 |
| commit | 6f396e2512fb2efb968962aec3371b300cdfad2c (patch) | |
| tree | 15e6339232b13f0bfd32654daf5cf8b0b9714e02 /sandbox | |
| parent | 7a2b1cb83546418638417fc4d3c9aa6172fe02e9 (diff) | |
| download | chromium_src-6f396e2512fb2efb968962aec3371b300cdfad2c.zip chromium_src-6f396e2512fb2efb968962aec3371b300cdfad2c.tar.gz chromium_src-6f396e2512fb2efb968962aec3371b300cdfad2c.tar.bz2 | |
fix sandbox memory leak
The memory allocated by AllocAndCopyName was not being freed
if the in-process policy engine did not allow the request to
query the broker.
This was nicely reported by typo.pl@gmail.com
TEST=see bug
BUG=414039
Review URL: https://codereview.chromium.org/575623004
Cr-Commit-Position: refs/heads/master@{#295220}
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/win/src/filesystem_interception.cc | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/sandbox/win/src/filesystem_interception.cc b/sandbox/win/src/filesystem_interception.cc index 33688f0..2d9d36d 100644 --- a/sandbox/win/src/filesystem_interception.cc +++ b/sandbox/win/src/filesystem_interception.cc @@ -35,6 +35,7 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) return status; + wchar_t* name = NULL; do { if (!ValidParameter(file, sizeof(HANDLE), WRITE)) break; @@ -45,7 +46,6 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, if (NULL == memory) break; - wchar_t* name; uint32 attributes = 0; NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, NULL); @@ -69,9 +69,6 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes, desired_access, file_attributes, sharing, disposition, options, &answer); - - operator delete(name, NT_ALLOC); - if (SBOX_ALL_OK != code) break; @@ -88,6 +85,9 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, } } while (false); + if (name) + operator delete(name, NT_ALLOC); + return status; } @@ -106,6 +106,7 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) return status; + wchar_t* name = NULL; do { if (!ValidParameter(file, sizeof(HANDLE), WRITE)) break; @@ -116,7 +117,6 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, if (NULL == memory) break; - wchar_t* name; uint32 attributes; NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, NULL); @@ -137,9 +137,6 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, CrossCallReturn answer = {0}; ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes, desired_access, sharing, options, &answer); - - operator delete(name, NT_ALLOC); - if (SBOX_ALL_OK != code) break; @@ -156,6 +153,9 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file, } } while (false); + if (name) + operator delete(name, NT_ALLOC); + return status; } @@ -172,6 +172,7 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile( if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) return status; + wchar_t* name = NULL; do { if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) break; @@ -180,7 +181,6 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile( if (NULL == memory) break; - wchar_t* name = NULL; uint32 attributes = 0; NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, NULL); @@ -212,6 +212,9 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile( } while (false); + if (name) + operator delete(name, NT_ALLOC); + return status; } @@ -229,6 +232,7 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile( if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) return status; + wchar_t* name = NULL; do { if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), WRITE)) @@ -238,7 +242,6 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile( if (NULL == memory) break; - wchar_t* name = NULL; uint32 attributes = 0; NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, NULL); @@ -269,6 +272,9 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile( return answer.nt_status; } while (false); + if (name) + operator delete(name, NT_ALLOC); + return status; } @@ -286,6 +292,7 @@ NTSTATUS WINAPI TargetNtSetInformationFile( if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) return status; + wchar_t* name = NULL; do { void* memory = GetGlobalIPCMemory(); if (NULL == memory) @@ -315,7 +322,6 @@ NTSTATUS WINAPI TargetNtSetInformationFile( break; } - wchar_t* name; NTSTATUS ret = AllocAndCopyName(&object_attributes, &name, NULL, NULL); if (!NT_SUCCESS(ret) || !name) break; @@ -345,6 +351,9 @@ NTSTATUS WINAPI TargetNtSetInformationFile( status = answer.nt_status; } while (false); + if (name) + operator delete(name, NT_ALLOC); + return status; } |