Limit number of concurrent p2p UDP sockets.

This guards against a resource exhaustion in the UNIX sockets space. Bug: chromium:826957 Change-Id: I0b55ff033812b1778793f0d27398012c557b8e3a Reviewed-on: https://chromium-review.googlesource.com/995433Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Tommi <tommi@chromium.org> Commit-Queue: Harald Alvestrand <hta@chromium.org> Cr-Commit-Position: refs/heads/master@{#550145}

Limit number of concurrent p2p UDP sockets.
This guards against a resource exhaustion in the UNIX sockets space. Bug: chromium:826957 Change-Id: I0b55ff033812b1778793f0d27398012c557b8e3a Reviewed-on: https://chromium-review.googlesource.com/995433Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Tommi <tommi@chromium.org> Commit-Queue: Harald Alvestrand <hta@chromium.org> Cr-Commit-Position: refs/heads/master@{#550145}
67def1fc · Harald Alvestrand · Commit Bot · f98a3120 · 67def1fc · 67def1fc
Commit 67def1fc authored Apr 12, 2018 by Harald Alvestrand Committed by Commit Bot Apr 12, 2018
5 changed files
--- a/base/posix/unix_domain_socket.cc
+++ b/base/posix/unix_domain_socket.cc
@@ -189,6 +189,11 @@ ssize_t UnixDomainSocket::RecvMsgWithFlags(int fd,
  }
  if (msg.msg_flags & MSG_TRUNC || msg.msg_flags & MSG_CTRUNC) {
+    if (msg.msg_flags & MSG_CTRUNC) {
+      // Extraordinary case, not caller fixable. Log something.
+      LOG(ERROR) << "recvmsg returned MSG_CTRUNC flag, buffer len is "
+                 << msg.msg_controllen;
+    }
    for (unsigned i = 0; i < wire_fds_len; ++i)
      close(wire_fds[i]);
    errno = EMSGSIZE;

--- a/content/browser/renderer_host/p2p/socket_dispatcher_host.cc
+++ b/content/browser/renderer_host/p2p/socket_dispatcher_host.cc
@@ -43,6 +43,11 @@ const uint8_t kPublicIPv6Host[] = {
    0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88};
 const int kPublicPort = 53;  // DNS port.
+// Experimentation shows that creating too many sockets creates odd problems
+// because of resource exhaustion in the Unix sockets domain.
+// Trouble has been seen on Linux at 3479 sockets in test, so leave a margin.
+const int kMaxSimultaneousSockets = 3000;
 }  // namespace
 const size_t kMaximumPacketSize = 32768;
@@ -267,6 +272,11 @@ void P2PSocketDispatcherHost::OnCreateSocket(
        std::make_unique<network::ProxyResolvingClientSocketFactory>(
            nullptr, url_context_->GetURLRequestContext());
  }
+  if (sockets_.size() > kMaxSimultaneousSockets) {
+    LOG(ERROR) << "Too many sockets created";
+    Send(new P2PMsg_OnError(socket_id));
+    return;
+  }
  std::unique_ptr<P2PSocketHost> socket(P2PSocketHost::Create(
      this, socket_id, type, url_context_.get(),
      proxy_resolving_socket_factory_.get(), &throttler_));

--- a/content/browser/sandbox_ipc_linux.cc
+++ b/content/browser/sandbox_ipc_linux.cc
@@ -144,7 +144,13 @@ void SandboxIPCHandler::HandleRequestFromChild(int fd) {
      base::UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
  if (len == -1) {
    // TODO: should send an error reply, or the sender might block forever.
-    NOTREACHED() << "Sandbox host message is larger than kMaxFontFamilyLength";
+    if (errno == EMSGSIZE) {
+      NOTREACHED()
+          << "Sandbox host message is larger than kMaxFontFamilyLength";
+    } else {
+      PLOG(ERROR) << "Recvmsg failed";
+      NOTREACHED();
+    }
    return;
  }
  if (fds.empty())

--- a/third_party/WebKit/LayoutTests/SlowTests
+++ b/third_party/WebKit/LayoutTests/SlowTests
@@ -510,3 +510,7 @@ crbug.com/825170 external/wpt/css/css-transitions/properties-value-implicit-001.
 crbug.com/825170 external/wpt/css/css-transitions/properties-value-inherit-001.html [ Slow ]
 crbug.com/825170 external/wpt/css/css-transitions/properties-value-inherit-002.html [ Slow ]
 crbug.com/825170 external/wpt/css/css-transitions/transitioncancel-001.html [ Slow ]
+# This test does a lot of IPC because it tests limits on IPC allocations,
+# and is therefore slow.
+crbug.com/826957 fast/peerconnection/RTCPeerConnection-manyCandidates.html [ Slow ]
--- a/third_party/WebKit/LayoutTests/fast/peerconnection/RTCPeerConnection-manyCandidates.html
+++ b/third_party/WebKit/LayoutTests/fast/peerconnection/RTCPeerConnection-manyCandidates.html
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+// Check that the number of ICE candidates that we can generate hasn't regressed
+// At the moment (Nov 2017), the limit is approx
+// - 3900 on Linux
+let peerConnections = [];
+function allocatePeerConnection(candidates) {
+  peerConnections.push(new RTCPeerConnection(
+      {iceCandidatePoolSize: candidates}));
+}
+function cleanUpPeerConnections() {
+  // Close all peer connections so that they may be garbage collected.
+  peerConnections.forEach(pc => {
+    pc.close();
+  });
+  peerConnections = [];
+}
+promise_test(function(t) {
+  return new Promise(function(resolve, reject) {
+    // We're aiming to create > 3000 candidates with minimum effort.
+    for (let i = 0; i < 13; i++) {
+      allocatePeerConnection(250);
+    }
+    t.step_timeout(function() {
+      cleanUpPeerConnections();
+      resolve()
+    }, 2000);
+  });
+}, 'Create many PeerConnections with large pool sizes', {timeout: 60000});
+</script>
+</body>
+</html>