1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "ipc/ipc_channel_win.h"
9 #include "base/auto_reset.h"
10 #include "base/bind.h"
11 #include "base/compiler_specific.h"
12 #include "base/logging.h"
13 #include "base/pickle.h"
14 #include "base/process/process_handle.h"
15 #include "base/rand_util.h"
16 #include "base/strings/string_number_conversions.h"
17 #include "base/strings/utf_string_conversions.h"
18 #include "base/threading/thread_checker.h"
19 #include "base/win/scoped_handle.h"
20 #include "ipc/ipc_listener.h"
21 #include "ipc/ipc_logging.h"
22 #include "ipc/ipc_message_utils.h"
28 CALLED_CONNECT = 1 << 1,
29 PENDING_CONNECT = 1 << 2,
30 CONNECT_COMPLETED = 1 << 3,
31 PIPE_CONNECTED = 1 << 4,
34 WRITE_COMPLETED = 1 << 7,
35 READ_COMPLETED = 1 << 8,
37 WAIT_FOR_READ = 1 << 10,
38 WAIT_FOR_WRITE = 1 << 11,
39 WAIT_FOR_READ_COMPLETE = 1 << 12,
40 WAIT_FOR_WRITE_COMPLETE = 1 << 13
47 ChannelWin::State::State(ChannelWin* channel) : is_pending(false) {
48 memset(&context.overlapped, 0, sizeof(context.overlapped));
49 context.handler = channel;
52 ChannelWin::State::~State() {
53 COMPILE_ASSERT(!offsetof(ChannelWin::State, context),
54 starts_with_io_context);
57 ChannelWin::ChannelWin(const IPC::ChannelHandle &channel_handle,
58 Mode mode, Listener* listener)
59 : ChannelReader(listener),
62 pipe_(INVALID_HANDLE_VALUE),
63 peer_pid_(base::kNullProcessId),
64 waiting_connect_(mode & MODE_SERVER_FLAG),
65 processing_incoming_(false),
66 validate_client_(false),
74 CreatePipe(channel_handle, mode);
77 ChannelWin::~ChannelWin() {
81 void ChannelWin::Close() {
82 if (thread_check_.get()) {
83 DCHECK(thread_check_->CalledOnValidThread());
85 debug_flags_ |= CLOSED;
87 if (input_state_.is_pending || output_state_.is_pending)
90 // Closing the handle at this point prevents us from issuing more requests
91 // form OnIOCompleted().
92 if (pipe_ != INVALID_HANDLE_VALUE) {
94 pipe_ = INVALID_HANDLE_VALUE;
97 if (input_state_.is_pending)
98 debug_flags_ |= WAIT_FOR_READ;
100 if (output_state_.is_pending)
101 debug_flags_ |= WAIT_FOR_WRITE;
103 // Make sure all IO has completed.
104 base::Time start = base::Time::Now();
105 while (input_state_.is_pending || output_state_.is_pending) {
106 base::MessageLoopForIO::current()->WaitForIOCompletion(INFINITE, this);
109 while (!output_queue_.empty()) {
110 Message* m = output_queue_.front();
116 bool ChannelWin::Send(Message* message) {
117 DCHECK(thread_check_->CalledOnValidThread());
118 DVLOG(2) << "sending message @" << message << " on channel @" << this
119 << " with type " << message->type()
120 << " (" << output_queue_.size() << " in queue)";
122 #ifdef IPC_MESSAGE_LOG_ENABLED
123 Logging::GetInstance()->OnSendMessage(message, "");
126 message->TraceMessageBegin();
127 output_queue_.push(message);
128 // ensure waiting to write
129 if (!waiting_connect_) {
130 if (!output_state_.is_pending) {
131 if (!ProcessOutgoingMessages(NULL, 0))
139 base::ProcessId ChannelWin::GetPeerPID() const {
143 base::ProcessId ChannelWin::GetSelfPID() const {
144 return GetCurrentProcessId();
147 ChannelHandle ChannelWin::TakePipeHandle() {
148 ChannelHandle handle = ChannelHandle(pipe_);
149 pipe_ = INVALID_HANDLE_VALUE;
154 bool ChannelWin::IsNamedServerInitialized(
155 const std::string& channel_id) {
156 if (WaitNamedPipe(PipeName(channel_id, NULL).c_str(), 1))
158 // If ERROR_SEM_TIMEOUT occurred, the pipe exists but is handling another
160 return GetLastError() == ERROR_SEM_TIMEOUT;
163 ChannelWin::ReadState ChannelWin::ReadData(
166 int* /* bytes_read */) {
167 if (INVALID_HANDLE_VALUE == pipe_)
170 debug_flags_ |= READ_MSG;
171 DWORD bytes_read = 0;
172 BOOL ok = ReadFile(pipe_, buffer, buffer_len,
173 &bytes_read, &input_state_.context.overlapped);
175 DWORD err = GetLastError();
176 if (err == ERROR_IO_PENDING) {
177 input_state_.is_pending = true;
180 LOG(ERROR) << "pipe error: " << err;
184 // We could return READ_SUCCEEDED here. But the way that this code is
185 // structured we instead go back to the message loop. Our completion port
186 // will be signalled even in the "synchronously completed" state.
188 // This allows us to potentially process some outgoing messages and
189 // interleave other work on this thread when we're getting hammered with
190 // input messages. Potentially, this could be tuned to be more efficient
191 // with some testing.
192 input_state_.is_pending = true;
196 bool ChannelWin::WillDispatchInputMessage(Message* msg) {
197 // Make sure we get a hello when client validation is required.
198 if (validate_client_)
199 return IsHelloMessage(*msg);
203 void ChannelWin::HandleInternalMessage(const Message& msg) {
204 DCHECK_EQ(msg.type(), static_cast<unsigned>(Channel::HELLO_MESSAGE_TYPE));
205 // The hello message contains one parameter containing the PID.
206 PickleIterator it(msg);
208 bool failed = !it.ReadInt(&claimed_pid);
210 if (!failed && validate_client_) {
212 failed = it.ReadInt(&secret) ? (secret != client_secret_) : true;
218 listener()->OnChannelError();
222 peer_pid_ = claimed_pid;
223 // Validation completed.
224 validate_client_ = false;
225 listener()->OnChannelConnected(claimed_pid);
228 bool ChannelWin::DidEmptyInputBuffers() {
229 // We don't need to do anything here.
234 const base::string16 ChannelWin::PipeName(
235 const std::string& channel_id, int32* secret) {
236 std::string name("\\\\.\\pipe\\chrome.");
238 // Prevent the shared secret from ending up in the pipe name.
239 size_t index = channel_id.find_first_of('\\');
240 if (index != std::string::npos) {
241 if (secret) // Retrieve the secret if asked for.
242 base::StringToInt(channel_id.substr(index + 1), secret);
243 return base::ASCIIToWide(name.append(channel_id.substr(0, index - 1)));
246 // This case is here to support predictable named pipes in tests.
249 return base::ASCIIToWide(name.append(channel_id));
252 bool ChannelWin::CreatePipe(const IPC::ChannelHandle &channel_handle,
254 DCHECK_EQ(INVALID_HANDLE_VALUE, pipe_);
255 base::string16 pipe_name;
256 // If we already have a valid pipe for channel just copy it.
257 if (channel_handle.pipe.handle) {
258 DCHECK(channel_handle.name.empty());
259 pipe_name = L"Not Available"; // Just used for LOG
260 // Check that the given pipe confirms to the specified mode. We can
261 // only check for PIPE_TYPE_MESSAGE & PIPE_SERVER_END flags since the
262 // other flags (PIPE_TYPE_BYTE, and PIPE_CLIENT_END) are defined as 0.
264 GetNamedPipeInfo(channel_handle.pipe.handle, &flags, NULL, NULL, NULL);
265 DCHECK(!(flags & PIPE_TYPE_MESSAGE));
266 if (((mode & MODE_SERVER_FLAG) && !(flags & PIPE_SERVER_END)) ||
267 ((mode & MODE_CLIENT_FLAG) && (flags & PIPE_SERVER_END))) {
268 LOG(WARNING) << "Inconsistent open mode. Mode :" << mode;
271 if (!DuplicateHandle(GetCurrentProcess(),
272 channel_handle.pipe.handle,
277 DUPLICATE_SAME_ACCESS)) {
278 LOG(WARNING) << "DuplicateHandle failed. Error :" << GetLastError();
281 } else if (mode & MODE_SERVER_FLAG) {
282 DCHECK(!channel_handle.pipe.handle);
283 const DWORD open_mode = PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED |
284 FILE_FLAG_FIRST_PIPE_INSTANCE;
285 pipe_name = PipeName(channel_handle.name, &client_secret_);
286 validate_client_ = !!client_secret_;
287 pipe_ = CreateNamedPipeW(pipe_name.c_str(),
289 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE,
291 Channel::kReadBufferSize,
292 Channel::kReadBufferSize,
295 } else if (mode & MODE_CLIENT_FLAG) {
296 DCHECK(!channel_handle.pipe.handle);
297 pipe_name = PipeName(channel_handle.name, &client_secret_);
298 pipe_ = CreateFileW(pipe_name.c_str(),
299 GENERIC_READ | GENERIC_WRITE,
303 SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION |
304 FILE_FLAG_OVERLAPPED,
310 if (pipe_ == INVALID_HANDLE_VALUE) {
311 // If this process is being closed, the pipe may be gone already.
312 PLOG(WARNING) << "Unable to create pipe \"" << pipe_name << "\" in "
313 << (mode & MODE_SERVER_FLAG ? "server" : "client") << " mode";
317 // Create the Hello message to be sent when Connect is called
318 scoped_ptr<Message> m(new Message(MSG_ROUTING_NONE,
320 IPC::Message::PRIORITY_NORMAL));
322 // Don't send the secret to the untrusted process, and don't send a secret
323 // if the value is zero (for IPC backwards compatability).
324 int32 secret = validate_client_ ? 0 : client_secret_;
325 if (!m->WriteInt(GetCurrentProcessId()) ||
326 (secret && !m->WriteUInt32(secret))) {
328 pipe_ = INVALID_HANDLE_VALUE;
332 debug_flags_ |= INIT_DONE;
334 output_queue_.push(m.release());
338 bool ChannelWin::Connect() {
339 DLOG_IF(WARNING, thread_check_.get()) << "Connect called more than once";
341 if (!thread_check_.get())
342 thread_check_.reset(new base::ThreadChecker());
344 if (pipe_ == INVALID_HANDLE_VALUE)
347 base::MessageLoopForIO::current()->RegisterIOHandler(pipe_, this);
349 // Check to see if there is a client connected to our pipe...
350 if (waiting_connect_)
353 if (!input_state_.is_pending) {
354 // Complete setup asynchronously. By not setting input_state_.is_pending
355 // to true, we indicate to OnIOCompleted that this is the special
356 // initialization signal.
357 base::MessageLoopForIO::current()->PostTask(
359 base::Bind(&ChannelWin::OnIOCompleted,
360 weak_factory_.GetWeakPtr(),
361 &input_state_.context,
366 if (!waiting_connect_)
367 ProcessOutgoingMessages(NULL, 0);
371 bool ChannelWin::ProcessConnection() {
372 DCHECK(thread_check_->CalledOnValidThread());
373 if (input_state_.is_pending)
374 input_state_.is_pending = false;
376 // Do we have a client connected to our pipe?
377 if (INVALID_HANDLE_VALUE == pipe_)
380 BOOL ok = ConnectNamedPipe(pipe_, &input_state_.context.overlapped);
381 debug_flags_ |= CALLED_CONNECT;
383 DWORD err = GetLastError();
385 // Uhm, the API documentation says that this function should never
386 // return success when used in overlapped mode.
392 case ERROR_IO_PENDING:
393 input_state_.is_pending = true;
394 debug_flags_ |= PENDING_CONNECT;
396 case ERROR_PIPE_CONNECTED:
397 debug_flags_ |= PIPE_CONNECTED;
398 waiting_connect_ = false;
401 // The pipe is being closed.
411 bool ChannelWin::ProcessOutgoingMessages(
412 base::MessageLoopForIO::IOContext* context,
413 DWORD bytes_written) {
414 DCHECK(!waiting_connect_); // Why are we trying to send messages if there's
416 DCHECK(thread_check_->CalledOnValidThread());
418 if (output_state_.is_pending) {
420 output_state_.is_pending = false;
421 if (!context || bytes_written == 0) {
422 DWORD err = GetLastError();
423 LOG(ERROR) << "pipe error: " << err;
427 CHECK(!output_queue_.empty());
428 Message* m = output_queue_.front();
433 if (output_queue_.empty())
436 if (INVALID_HANDLE_VALUE == pipe_)
440 Message* m = output_queue_.front();
441 DCHECK(m->size() <= INT_MAX);
442 debug_flags_ |= WRITE_MSG;
445 write_size_ = static_cast<uint32>(m->size());
447 BOOL ok = WriteFile(pipe_,
451 &output_state_.context.overlapped);
453 write_error_ = GetLastError();
454 if (write_error_ == ERROR_IO_PENDING) {
455 output_state_.is_pending = true;
457 DVLOG(2) << "sent pending message @" << m << " on channel @" << this
458 << " with type " << m->type();
463 last_write_error_ = write_error_;
464 LOG(ERROR) << "pipe error: " << write_error_;
468 DVLOG(2) << "sent message @" << m << " on channel @" << this
469 << " with type " << m->type();
471 output_state_.is_pending = true;
475 void ChannelWin::OnIOCompleted(
476 base::MessageLoopForIO::IOContext* context,
477 DWORD bytes_transfered,
480 DCHECK(thread_check_->CalledOnValidThread());
481 if (context == &input_state_.context) {
482 if (waiting_connect_) {
483 debug_flags_ |= CONNECT_COMPLETED;
484 if (!ProcessConnection())
486 // We may have some messages queued up to send...
487 if (!output_queue_.empty() && !output_state_.is_pending)
488 ProcessOutgoingMessages(NULL, 0);
489 if (input_state_.is_pending)
491 // else, fall-through and look for incoming messages...
494 // We don't support recursion through OnMessageReceived yet!
495 DCHECK(!processing_incoming_);
496 base::AutoReset<bool> auto_reset_processing_incoming(
497 &processing_incoming_, true);
499 // Process the new data.
500 if (input_state_.is_pending) {
501 // This is the normal case for everything except the initialization step.
502 debug_flags_ |= READ_COMPLETED;
503 if (debug_flags_ & WAIT_FOR_READ) {
504 CHECK(!(debug_flags_ & WAIT_FOR_READ_COMPLETE));
505 debug_flags_ |= WAIT_FOR_READ_COMPLETE;
507 input_state_.is_pending = false;
508 if (!bytes_transfered)
510 else if (pipe_ != INVALID_HANDLE_VALUE)
511 ok = AsyncReadComplete(bytes_transfered);
513 DCHECK(!bytes_transfered);
516 // Request more data.
518 ok = ProcessIncomingMessages();
520 DCHECK(context == &output_state_.context);
522 CHECK(output_state_.is_pending);
524 debug_flags_ |= WRITE_COMPLETED;
525 if (debug_flags_ & WAIT_FOR_WRITE) {
526 CHECK(!(debug_flags_ & WAIT_FOR_WRITE_COMPLETE));
527 debug_flags_ |= WAIT_FOR_WRITE_COMPLETE;
529 ok = ProcessOutgoingMessages(context, bytes_transfered);
531 if (!ok && INVALID_HANDLE_VALUE != pipe_) {
532 // We don't want to re-enter Close().
534 listener()->OnChannelError();
538 //------------------------------------------------------------------------------
542 scoped_ptr<Channel> Channel::Create(
543 const IPC::ChannelHandle &channel_handle, Mode mode, Listener* listener) {
544 return scoped_ptr<Channel>(
545 new ChannelWin(channel_handle, mode, listener));
549 bool Channel::IsNamedServerInitialized(const std::string& channel_id) {
550 return ChannelWin::IsNamedServerInitialized(channel_id);
554 std::string Channel::GenerateVerifiedChannelID(const std::string& prefix) {
555 // Windows pipes can be enumerated by low-privileged processes. So, we
556 // append a strong random value after the \ character. This value is not
557 // included in the pipe name, but sent as part of the client hello, to
558 // hijacking the pipe name to spoof the client.
560 std::string id = prefix;
565 do { // Guarantee we get a non-zero value.
566 secret = base::RandInt(0, std::numeric_limits<int>::max());
567 } while (secret == 0);
569 id.append(GenerateUniqueRandomChannelID());
570 return id.append(base::StringPrintf("\\%d", secret));