New issue
Advanced search Search tips

Issue 619158 link

Starred by 1 user
Status: Fixed
Owner:
lazyboy@chromium.org
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Negative port id crashes extensions using socket.connect/bind etc

Project Member Reported by lazyboy@chromium.org, Jun 10 2016 
Call chrome.socket.connect(1, "foo", -1, function() {}) from an extension.
Due to checking port range in socket_api.cc using EXTENSION_FUNCTION_VALIDATE, bad_message_ = true gets set which kills the extension.
e.g.: 
https://cs.chromium.org/chromium/src/extensions/browser/api/socket/socket_api.cc?rcl=0&l=274

I'll just turn the validation errors to error responses.
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c5ebb340bf9ab615ae58cfcf573c25b946ed5460

commit c5ebb340bf9ab615ae58cfcf573c25b946ed5460
Author: lazyboy <lazyboy@chromium.org>
Date: Fri Jun 10 23:45:24 2016

Send API error response when chrome.socket.* API receives an invalid port number.

We used to call EXTENSION_FUNCTION_VALIDATE to validate these, which would
result in CHECK on debug builds and bad_message_ = true in release builds.
bad_message_ will end up killing the extension process.

BUG= 619158 
Test=See bug description for repro case.

Review-Url: https://codereview.chromium.org/2058513006
Cr-Commit-Position: refs/heads/master@{#399321}

[modify] https://crrev.com/c5ebb340bf9ab615ae58cfcf573c25b946ed5460/chrome/browser/extensions/api/socket/socket_api_unittest.cc
[modify] https://crrev.com/c5ebb340bf9ab615ae58cfcf573c25b946ed5460/extensions/browser/api/socket/socket_api.cc

Comment 2 by lazyboy@chromium.org, Jun 11 2016

Status: Fixed (was: Started)
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c5ebb340bf9ab615ae58cfcf573c25b946ed5460

commit c5ebb340bf9ab615ae58cfcf573c25b946ed5460
Author: lazyboy <lazyboy@chromium.org>
Date: Fri Jun 10 23:45:24 2016

Send API error response when chrome.socket.* API receives an invalid port number.

We used to call EXTENSION_FUNCTION_VALIDATE to validate these, which would
result in CHECK on debug builds and bad_message_ = true in release builds.
bad_message_ will end up killing the extension process.

BUG= 619158 
Test=See bug description for repro case.

Review-Url: https://codereview.chromium.org/2058513006
Cr-Commit-Position: refs/heads/master@{#399321}

[modify] https://crrev.com/c5ebb340bf9ab615ae58cfcf573c25b946ed5460/chrome/browser/extensions/api/socket/socket_api_unittest.cc
[modify] https://crrev.com/c5ebb340bf9ab615ae58cfcf573c25b946ed5460/extensions/browser/api/socket/socket_api.cc

Sign in to add a comment