Crash when sending oversized legacy IPC messages

We have a clear indication that some renderer code paths are sending oversized IPC messages (https://crbug.com/766032), but because of thread-hopping via IPC::ChannelProxy the details remain unclear. This adds a message size CHECK earlier in the stack, before (if) any task is posted to the IPC thread to do the Send. BUG=766032 Change-Id: I68e3962076a97b5774d12d971039b303fc755f4d Reviewed-on: https://chromium-review.googlesource.com/671446 Commit-Queue: Ken Rockot <rockot@chromium.org> Reviewed-by: Yuzhu Shen <yzshen@chromium.org> Cr-Commit-Position: refs/heads/master@{#502641}
marcosholgado · Sep 18, 2017 · 8b8c906 · 8b8c906
1 parent 7e8dcc0
commit 8b8c906
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 1 deletion.
diff --git a/ipc/ipc_channel.cc b/ipc/ipc_channel.cc
@@ -23,6 +23,9 @@ base::AtomicSequenceNumber g_last_id;
 
 namespace IPC {
 
+// static
+constexpr size_t Channel::kMaximumMessageSize;
+
 // static
 std::string Channel::GenerateUniqueRandomChannelID() {
   // Note: the string must start with the current process id, this is how

diff --git a/ipc/ipc_channel.h b/ipc/ipc_channel.h
@@ -140,7 +140,7 @@ class IPC_EXPORT Channel : public Sender {
 
   // The maximum message size in bytes. Attempting to receive a message of this
   // size or bigger results in a channel error.
-  static const size_t kMaximumMessageSize = 128 * 1024 * 1024;
+  static constexpr size_t kMaximumMessageSize = 128 * 1024 * 1024;
 
   // Amount of data to read at once from the pipe.
   static const size_t kReadBufferSize = 4 * 1024;

diff --git a/ipc/ipc_channel_nacl.cc b/ipc/ipc_channel_nacl.cc
@@ -67,6 +67,9 @@ bool ReadDataOnReaderThread(int pipe, MessageContents* contents) {
 
 }  // namespace
 
+// static
+constexpr size_t Channel::kMaximumMessageSize;
+
 class ChannelNacl::ReaderThreadRunner
     : public base::DelegateSimpleThread::Delegate {
  public:

diff --git a/ipc/ipc_channel_proxy.cc b/ipc/ipc_channel_proxy.cc
@@ -531,6 +531,10 @@ void ChannelProxy::SendInternal(Message* message) {
   Logging::GetInstance()->OnSendMessage(message);
 #endif
 
+  // See https://crbug.com/766032. This is to ensure that senders of oversized
+  // messages can be caught more easily in the wild.
+  CHECK_LE(message->size(), Channel::kMaximumMessageSize);
+
   context_->Send(message);
 }