diff options
author | Victor Vasiliev <vasilvv@chromium.org> | 2023-01-25 09:45:20 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-15 13:59:49 +0000 |
commit | 8a664ad9a062fad50f300eadd0f519590a9f708b (patch) | |
tree | 52ae24bf6e1116e73ea65ea2627e69c22afc1b03 | |
parent | 35c2ba645dd4f643e3621e78f15842807b3600d9 (diff) | |
download | qtwebengine-chromium-8a664ad9a062fad50f300eadd0f519590a9f708b.tar.gz |
[Backport] CVE-2023-0471: Use after free in WebTransport
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4143058:
Ensure clean destruction of network::WebTransport
Once the destruction of the object begins, we should not process any
callbacks, nor should we attempt to reset the streams on a connection
that is already being closed.
(cherry picked from commit 57c54ae221d60e9f9394d7ee69634d66c9cd26f3)
Bug: 1376354
Change-Id: Ib49e0ce0b177062cccd0e52368782e291cf8166c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4117501
Commit-Queue: Victor Vasiliev <vasilvv@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1085965}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4143058
Reviewed-by: Victor Vasiliev <vasilvv@chromium.org>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/5005@{#1424}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460491
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/services/network/web_transport.cc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/chromium/services/network/web_transport.cc b/chromium/services/network/web_transport.cc index 1b965987295..8da140c80a9 100644 --- a/chromium/services/network/web_transport.cc +++ b/chromium/services/network/web_transport.cc @@ -177,7 +177,7 @@ class WebTransport::Stream final { ~Stream() { auto* stream = incoming_ ? incoming_.get() : outgoing_.get(); - if (!stream) { + if (!stream || transport_->closing_ || transport_->torn_down_) { return; } stream->MaybeResetDueToStreamObjectGone(); @@ -399,7 +399,10 @@ WebTransport::WebTransport( transport_->Connect(); } -WebTransport::~WebTransport() = default; +WebTransport::~WebTransport() { + // Ensure that we ignore all callbacks while mid-destruction. + torn_down_ = true; +} void WebTransport::SendDatagram(base::span<const uint8_t> data, base::OnceCallback<void(bool)> callback) { |