Breakout bug from #648971
-----
From the writeup:

There is another bug that allows shill to be crashed more reliably. Shill sends data on a socket without specifying the MSG_NOSIGNAL flag to send(), http_proxy.cc:689:
 int ret = sockets_->Send(fd, server_data_.GetConstData(),
 server_data_.GetLength(), 0);

If the socket is already closed before send() then the kernel will signal a SIGPIPE that will kill shill.

The exploit causes just that to happen with the client socket. Normally, if the client connection is closed then the read_client_handler_ of the proxy will run the ReadFromClient callback that will stop both client and server connections. So it's hard to do a send() after that. But shill stops read_client_handler_ while it has data to send to the server. If server doesn't read out any incoming
data then the kernel receive buffer is filled. Next, the kernel send buffer of Chrome OS is filled and shill would block while sending further data to the server. So shill doesn't enable read_client_handler_ because it has further data to send to the server. 

JavaScript can then close the TURN connection and shill doesn't notice that. Finally, the server can send a single byte to the proxy. The proxy tries to
forward it to the client socket, which has been closed by chrome. And the shill process gets killed by SIGPIPE.