Better handle oversized IPC messages

* Shoot down oversized messages on the sending side so we fail faster. * Add DCHECKs to identify oversized messages early. The real fix for the underlying bug is not to send oversized messages in the first place, but the current state of things is that it takes a long while for the renderer to crash. This change should speed the failure up a bit. BUG=26822 TEST=Chrome should continue to load web pages. Review URL: http://codereview.chromium.org/546047 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37102 0039d316-1c4b-4281-b951-d872f2087c98
Denger-Network · Jan 26, 2010 · 00a13d2 · 00a13d2
1 parent 1677229
commit 00a13d2
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc
@@ -734,6 +734,10 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() {
   while (!output_queue_.empty()) {
     Message* msg = output_queue_.front();
 
+    // Oversized messages should be rejected in Send().
+    DCHECK_LE(msg->size(), kMaximumMessageSize)
+        << "Attempt to send oversized message";
+
 #if defined(OS_LINUX)
     scoped_ptr<Message> hello;
     if (remote_fd_pipe_ != -1 &&
@@ -884,6 +888,15 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() {
 }
 
 bool Channel::ChannelImpl::Send(Message* message) {
+  if(message->size(), kMaximumMessageSize) {
+    LOG(ERROR) << "Attempt to send oversized message "
+                 << message->size()
+                 << " type="
+                 << message->type();
+    Close();
+    delete message;
+    return false;
+  }
 #ifdef IPC_MESSAGE_DEBUG_EXTRA
   DLOG(INFO) << "sending message @" << message << " on channel @" << this
              << " with type " << message->type()

diff --git a/ipc/ipc_channel_win.cc b/ipc/ipc_channel_win.cc
@@ -77,6 +77,15 @@ void Channel::ChannelImpl::Close() {
 
 bool Channel::ChannelImpl::Send(Message* message) {
   DCHECK(thread_check_->CalledOnValidThread());
+  if (message->size() > kMaximumMessageSize) {
+    LOG(ERROR) << "Attempt to send oversized message "
+               << message->size()
+               << " type="
+               << message->type();
+    Close();
+    delete message;
+    return false;
+  }
 #ifdef IPC_MESSAGE_DEBUG_EXTRA
   DLOG(INFO) << "sending message @" << message << " on channel @" << this
              << " with type " << message->type()
@@ -345,6 +354,11 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages(
 
   // Write to pipe...
   Message* m = output_queue_.front();
+
+  // Oversized messages should be rejected in Send().
+  DCHECK_LE(m->size(), kMaximumMessageSize)
+      << "Attempt to send oversized message";
+
   BOOL ok = WriteFile(pipe_,
                       m->data(),
                       m->size(),

diff --git a/ipc/ipc_sync_channel.cc b/ipc/ipc_sync_channel.cc
@@ -382,6 +382,15 @@ bool SyncChannel::Send(Message* message) {
 }
 
 bool SyncChannel::SendWithTimeout(Message* message, int timeout_ms) {
+  if(message->size() > IPC::Channel::kMaximumMessageSize) {
+    LOG(ERROR) << "Attempt to send oversized message "
+               << message->size()
+               << " type="
+               << message->type();
+    delete message;
+    return false;
+  }
+
   if (!message->is_sync()) {
     ChannelProxy::Send(message);
     return true;