Fix use after free in P2PSocketUdp and P2PSocketTcpBase

Send() method in P2PSocketUdp and P2PSocketTcpBase checks that packet
size is under the limit, but it wasn't handling the error correctly.

Bug: 877514
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: If4ee08051d1085cbdb995868790dacf622b09aad
Reviewed-on: https://chromium-review.googlesource.com/1188751Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585933}

services/network/p2p/socket_tcp.cc

@@ -389,12 +389,6 @@ void P2PSocketTcpBase::Send(
     const std::vector<int8_t>& data,
     const P2PPacketInfo& packet_info,
     const net::MutableNetworkTrafficAnnotationTag& traffic_annotation) {
-  if (data.size() > kMaximumPacketSize) {
-    LOG(ERROR) << "Received P2PHostMsg_Send with a packet that is too big: "
-               << data.size();
-    delete this;
-  }
-
   // Note: dscp is not actually used on TCP sockets as this point,
   // but may be honored in the future.
   if (!socket_) {
@@ -403,8 +397,9 @@ void P2PSocketTcpBase::Send(
     return;
   }
 
-  if (!(packet_info.destination == remote_address_.ip_address)) {
-    // Renderer should use this socket only to send data to |remote_address_|.
+  // Renderer should use this socket only to send data to |remote_address_|.
+  if (data.size() > kMaximumPacketSize ||
+      !(packet_info.destination == remote_address_.ip_address)) {
     NOTREACHED();
     OnError();
     return;

services/network/p2p/socket_udp.cc

@@ -399,9 +399,9 @@ void P2PSocketUdp::Send(
     const P2PPacketInfo& packet_info,
     const net::MutableNetworkTrafficAnnotationTag& traffic_annotation) {
   if (data.size() > kMaximumPacketSize) {
-    LOG(ERROR) << "Received P2PHostMsg_Send with a packet that is too big: "
-               << data.size();
-    delete this;
+    NOTREACHED();
+    OnError();
+    return;
   }
 
   if (!socket_) {