Fix an attachment broker race condition.
Race condition: Browser process B starts two new processes: C1 and C2. C1 sends
C2 an attachment brokered message, via B. But B has not yet finished
establishing its connection with C2.
This CL stores wire formats that cannot be immediately sent to the destination
process because the connection has not been established. When the connection is
established, the wire formats are sent. Note that the resource itself has
already been duplicated into the destination.
If, for some reason, the connection is never established, then the assumption
is that the destination process died. The resource itself will be cleaned up by
the OS, but the data structure HandleWireFormat will leak. This is known to be
rare.
If, at a later point in time, a new process is created with the same process
id, the WireFormats will be passed to the new process. There is no security
problem, since the resource itself is not being sent. Furthermore, it is
unlikely to affect the functionality of the new process, since AttachmentBroker
ids are large, unguessable nonces.
BUG=609262, 493414
TBR=asvitkine@chromium.org
Review-Url: https://codereview.chromium.org/1979533003
Cr-Commit-Position: refs/heads/master@{#393882}
CrOS-Libchrome-Original-Commit: 3e0f4d3ce943d23e3862d42a273086613be46155
3 files changed