[Mojo] Use handle vector size instead of serialised size field for metrics

Since num_handles() is read from the serialised message, if the message
is invalid for some reason, num_handles() could be either invalid or
result in an out-of-bounds memory access.

Bug: 1110302, 1110432
Change-Id: Ia63e78a4131310e1febd87186044dbfe1348fb7d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2326553Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Anand K Mistry <amistry@chromium.org>
Cr-Commit-Position: refs/heads/master@{#793538}

mojo/core/channel.cc

@@ -448,6 +448,10 @@ std::vector<PlatformHandleInTransit> Channel::Message::TakeHandles() {
   return std::move(handle_vector_);
 }
 
+size_t Channel::Message::NumHandlesForTransit() const {
+  return handle_vector_.size();
+}
+
 // Helper class for managing a Channel's read buffer allocations. This maintains
 // a single contiguous buffer with the layout:
 //

mojo/core/channel.h

@@ -202,6 +202,7 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel
     void SetHandles(std::vector<PlatformHandle> new_handles);
     void SetHandles(std::vector<PlatformHandleInTransit> new_handles);
     std::vector<PlatformHandleInTransit> TakeHandles();
+    size_t NumHandlesForTransit() const;
 
     void SetVersionForTest(uint16_t version_number);
 

mojo/core/channel_posix.cc

@@ -138,7 +138,7 @@ class ChannelPosix : public Channel,
     UMA_HISTOGRAM_COUNTS_100000("Mojo.Channel.WriteMessageSize",
                                 message->data_num_bytes());
     UMA_HISTOGRAM_COUNTS_100("Mojo.Channel.WriteMessageHandles",
-                             message->num_handles());
+                             message->NumHandlesForTransit());
 
     bool write_error = false;
     bool queued = false;