mojo: copy the message name and interface before logging

To prevent use-after-free, we have to copy the message name and
interface name before logging since by that time they're destroyed

Bug: chromium:1226890
Test: Forced the codepath to always print the message after Accept
Change-Id: I482de04f290fc9f1c8969cee284bba449e9c8fd2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3012337
Commit-Queue: Muhammad Hasan Khan <mhasank@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/master@{#899641}

This commit is contained in:

Muhammad Hasan Khan

2021-07-08 18:46:44 +00:00

committed by

Chromium LUCI CQ

parent ac674c86a8

commit 64be504ebf

1 changed files with 12 additions and 5 deletions

									
										17

mojo/public/cpp/bindings/lib/interface_endpoint_client.cc
									
				@ -647,11 +647,18 @@ bool InterfaceEndpointClient::SendMessageWithResponder(

				bool InterfaceEndpointClient::HandleIncomingMessage(Message* message) {

				  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

				   if (!dispatcher_.Accept(message)) {

				      LOG(ERROR) << "Message " << message->name() << " rejected by interface " << interface_name_;

				      return false;

				    }

				    return true;

				  // Accept() may invalidate `this` and `message` so we need to copy the

				  // members we need for logging in case of an error.

				  const char* interface_name = interface_name_;

				  uint32_t name = message->name();

				  if (!dispatcher_.Accept(message)) {

				    LOG(ERROR) << "Message " << name << " rejected by interface "

				               << interface_name;

				    return false;

				  }

				  return true;

				}

				void InterfaceEndpointClient::NotifyError(

mojo: copy the message name and interface before logging

17 mojo/public/cpp/bindings/lib/interface_endpoint_client.cc

17

mojo/public/cpp/bindings/lib/interface_endpoint_client.cc