Changeset 64871 in webkit
- Timestamp:
- Aug 6, 2010 2:52:03 PM (14 years ago)
- Location:
- trunk/WebKit2
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebKit2/ChangeLog
r64867 r64871 1 2010-08-06 Anders Carlsson <andersca@apple.com> 2 3 Reviewed by Adam Roben. 4 5 Detect invalid CoreIPC messages and call didReceiveInvalidMessage 6 https://bugs.webkit.org/show_bug.cgi?id=43643 7 <rdar://problem/7891069> 8 9 * Platform/CoreIPC/ArgumentDecoder.cpp: 10 (CoreIPC::ArgumentDecoder::alignBufferPosition): 11 If we can't correctly align the buffer position, mark the decoder as invalid. 12 13 * Platform/CoreIPC/ArgumentDecoder.h: 14 (CoreIPC::ArgumentDecoder::isInvalid): 15 Check if the argument decoder is valid. 16 17 (CoreIPC::ArgumentDecoder::markInvalid): 18 Mark the argument decoder as invalid, by setting its buffer position past its end position. 19 20 * Platform/CoreIPC/Connection.cpp: 21 (CoreIPC::Connection::dispatchMessages): 22 Check if m_client is null before dispatching messages. If an argument decoder was marked invalid, call 23 Connection::Client::didReceiveInvalidMessage. 24 25 * Platform/CoreIPC/Connection.h: 26 (CoreIPC::Connection::Message::releaseArguments): 27 Rename destroy to releaseArguments and make it return a PassOwnPtr. 28 29 * UIProcess/WebProcessProxy.cpp: 30 (WebKit::WebProcessProxy::~WebProcessProxy): 31 Call releaseArguments instead of destroy. 32 33 (WebKit::WebProcessProxy::didReceiveInvalidMessage): 34 Kill the web process and invalidate its connection. 35 36 * WebProcess/WebProcess.cpp: 37 (WebKit::WebProcess::didReceiveInvalidMessage): 38 Don't do anything, if the UI process is sending invalid messages there's not much we can do. 39 40 * WebProcess/WebProcess.h: 41 1 42 2010-08-06 Anders Carlsson <andersca@apple.com> 2 43 -
trunk/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
r62260 r64871 70 70 if (buffer + size > m_bufferEnd) { 71 71 // We've walked off the end of this buffer. 72 m _bufferPos = m_bufferEnd;72 markInvalid(); 73 73 return false; 74 74 } -
trunk/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
r61635 r64871 41 41 42 42 uint64_t destinationID() const { return m_destinationID; } 43 44 bool isInvalid() const { return m_bufferPos > m_bufferEnd; } 45 void markInvalid() { m_bufferPos = m_bufferEnd + 1; } 43 46 44 47 bool decodeBytes(Vector<uint8_t>&); -
trunk/WebKit2/Platform/CoreIPC/Connection.cpp
r64564 r64871 238 238 // Dispatch messages. 239 239 for (size_t i = 0; i < incomingMessages.size(); ++i) { 240 // If someone calls invalidate while we're invalidating messages, we should stop. 241 if (!m_client) 242 return; 243 240 244 IncomingMessage& message = incomingMessages[i]; 241 ArgumentDecoder* arguments = message.arguments();245 OwnPtr<ArgumentDecoder> arguments = message.releaseArguments(); 242 246 243 247 if (message.messageID().isSync()) { … … 254 258 255 259 // Hand off both the decoder and encoder to the client.. 256 m_client->didReceiveSyncMessage(this, message.messageID(), arguments , replyEncoder.get());260 m_client->didReceiveSyncMessage(this, message.messageID(), arguments.get(), replyEncoder.get()); 257 261 262 // FIXME: If the message was invalid, we should send back a SyncMessageError. 263 ASSERT(!arguments->isInvalid()); 264 258 265 // Send the reply. 259 266 sendMessage(MessageID(CoreIPCMessage::SyncMessageReply), replyEncoder.release()); 260 267 } else 261 m_client->didReceiveMessage(this, message.messageID(), arguments); 262 263 message.destroy(); 268 m_client->didReceiveMessage(this, message.messageID(), arguments.get()); 269 270 if (arguments->isInvalid()) 271 m_client->didReceiveInvalidMessage(this, message.messageID()); 264 272 } 265 273 } -
trunk/WebKit2/Platform/CoreIPC/Connection.h
r64867 r64871 69 69 virtual ~Client() { } 70 70 71 public: 71 public: 72 72 virtual void didClose(Connection*) = 0; 73 virtual void didReceiveInvalidMessage(Connection*, MessageID) = 0; 73 74 }; 74 75 … … 115 116 T* arguments() const { return m_arguments; } 116 117 117 void destroy()118 PassOwnPtr<T> releaseArguments() 118 119 { 119 delete m_arguments; 120 T* arguments = m_arguments; 121 m_arguments = 0; 122 123 return arguments; 120 124 } 121 125 -
trunk/WebKit2/UIProcess/WebProcessProxy.cpp
r64797 r64871 95 95 96 96 for (size_t i = 0; i < m_pendingMessages.size(); ++i) 97 m_pendingMessages[i]. destroy();97 m_pendingMessages[i].releaseArguments(); 98 98 99 99 if (m_processLauncher) { … … 399 399 } 400 400 401 void WebProcessProxy::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID messageID) 402 { 403 // We received an invalid message from the web process, invalidate our connection and kill it. 404 m_connection->invalidate(); 405 406 terminate(); 407 } 408 401 409 void WebProcessProxy::didBecomeUnresponsive(ResponsivenessTimer*) 402 410 { -
trunk/WebKit2/UIProcess/WebProcessProxy.h
r64861 r64871 108 108 void didReceiveSyncMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*); 109 109 void didClose(CoreIPC::Connection*); 110 void didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID); 110 111 111 112 // ResponsivenessTimer::Client -
trunk/WebKit2/WebProcess/WebProcess.cpp
r64867 r64871 333 333 } 334 334 335 void WebProcess::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID) 336 { 337 // We received an invalid message, but since this is from the UI process (which we trust), 338 // we'll let it slide. 339 } 340 335 341 } // namespace WebKit -
trunk/WebKit2/WebProcess/WebProcess.h
r64867 r64871 88 88 void didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*); 89 89 void didClose(CoreIPC::Connection*); 90 void didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID); 90 91 91 92 RefPtr<CoreIPC::Connection> m_connection;
Note: See TracChangeset
for help on using the changeset viewer.