ChannelLinux: Fix bug when a offer payload is not sent

If a message is sent without a properly sized payload we should not attempt to parse it. Bug: chromium:1171851 Change-Id: Ia1d203be8759ed86e782f6002e9b8d2115bb8397 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2657182 Reviewed-by: Ken Rockot <rockot@google.com> Commit-Queue: Brian Geffon <bgeffon@chromium.org> Cr-Commit-Position: refs/heads/master@{#848266}
marcosholgado · Jan 28, 2021 · bc868a4 · bc868a4
1 parent a6b3b9a
commit bc868a4
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/mojo/core/channel_linux.cc b/mojo/core/channel_linux.cc
@@ -603,6 +603,11 @@ bool ChannelLinux::OnControlMessage(Message::MessageType message_type,
     case Message::MessageType::UPGRADE_OFFER: {
       const UpgradeOfferMessage* msg =
           reinterpret_cast<const UpgradeOfferMessage*>(payload);
+      if (payload_size < sizeof(UpgradeOfferMessage)) {
+        LOG(ERROR) << "Received a malformed UPGRADE_OFFER message";
+        return true;
+      }
+
       if (msg->version != UpgradeOfferMessage::kSupportedVersion) {
         LOG(ERROR) << "Reject shared mem upgrade unexpected version: "
                    << msg->version;