Mojo: Guard against invalid data pipe configs

It's possible to create a data pipe with zero capacity or element size, which can violate other assumptions in the implementation. There's no value in creating such a pipe, so this CL prevents it. BUG=761634 R=jcivelli@chromium.org Change-Id: Icec88cfc98b706ec6905146e34d99e5f9ea433b9 Reviewed-on: https://chromium-review.googlesource.com/653780 Reviewed-by: Jay Civelli <jcivelli@chromium.org> Commit-Queue: Ken Rockot <rockot@chromium.org> Cr-Commit-Position: refs/heads/master@{#500112}
marcosholgado · Sep 6, 2017 · fad90d4 · fad90d4
1 parent 7b0b4c4
commit fad90d4
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/mojo/edk/system/core.cc b/mojo/edk/system/core.cc
@@ -799,6 +799,10 @@ MojoResult Core::CreateDataPipe(const MojoCreateDataPipeOptions* options,
   create_options.capacity_num_bytes = options && options->capacity_num_bytes
                                           ? options->capacity_num_bytes
                                           : 64 * 1024;
+  if (!create_options.element_num_bytes || !create_options.capacity_num_bytes ||
+      create_options.capacity_num_bytes < create_options.element_num_bytes) {
+    return MOJO_RESULT_INVALID_ARGUMENT;
+  }
 
   scoped_refptr<PlatformSharedBuffer> ring_buffer =
       GetNodeController()->CreateSharedBuffer(

diff --git a/mojo/edk/system/data_pipe_consumer_dispatcher.cc b/mojo/edk/system/data_pipe_consumer_dispatcher.cc
@@ -372,6 +372,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
   }
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
+  if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
+      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+    return nullptr;
+  }
 
   NodeController* node_controller = internal::g_core->GetNodeController();
   ports::PortRef port;

diff --git a/mojo/edk/system/data_pipe_producer_dispatcher.cc b/mojo/edk/system/data_pipe_producer_dispatcher.cc
@@ -335,6 +335,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
   }
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
+  if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
+      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+    return nullptr;
+  }
 
   NodeController* node_controller = internal::g_core->GetNodeController();
   ports::PortRef port;

diff --git a/mojo/public/c/system/data_pipe.h b/mojo/public/c/system/data_pipe.h
@@ -129,8 +129,9 @@ extern "C" {
 //
 // Returns:
 //   |MOJO_RESULT_OK| on success.
-//   |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
-//       |*options| is invalid).
+//   |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid, e.g.,
+//       |*options| is invalid, specified capacity or element size is zero, or
+//       the specified element size exceeds the specified capacity.
 //   |MOJO_RESULT_RESOURCE_EXHAUSTED| if a process/system/quota/etc. limit has
 //       been reached (e.g., if the requested capacity was too large, or if the
 //       maximum number of handles was exceeded).