diff options
author | Maks Orlovich <morlovich@chromium.org> | 2022-11-22 22:18:55 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-01-20 14:53:58 +0000 |
commit | 9c908e9c9f81ae234795c4f6350920d55132b998 (patch) | |
tree | 0b54876d79365fa9913720d2b082e65ca4b6ecf9 | |
parent | 406715225b17b2cf4204f17b9b651bef5d397392 (diff) | |
download | qtwebengine-chromium-9c908e9c9f81ae234795c4f6350920d55132b998.tar.gz |
[Backport] CVE-2023-0129: Heap buffer overflow in Network Service
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4048289:
Align NetworkContext::SetNetworkConditions better with devtools emulateNetworkConditions
The former used values of 0 to disable particular throttles, while the
later documents -1, and looks to be pretty much a direct client, and the
only one. So make NetworkService handle everything <= 0 as a disable,
clamping at intake of config.
Bug: 1382033
(cherry picked from commit ce463c2c939818a12bbcec5e2c91c35f2a0a1f0e)
Change-Id: I2fd3f075d5071cb0cf647838782115b5c00405bf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4035891
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Eric Orth <ericorth@chromium.org>
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1073566}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4048289
Cr-Commit-Position: refs/branch-heads/5414@{#188}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/454382
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
3 files changed, 9 insertions, 5 deletions
diff --git a/chromium/services/network/public/mojom/network_context.mojom b/chromium/services/network/public/mojom/network_context.mojom index 7a5ed4b72e1..04f9bf2a6c2 100644 --- a/chromium/services/network/public/mojom/network_context.mojom +++ b/chromium/services/network/public/mojom/network_context.mojom @@ -483,11 +483,11 @@ struct NetworkConditions { // response received. mojo_base.mojom.TimeDelta latency; - // Maximal aggregated download throughput (bytes/sec). 0 disables download + // Maximal aggregated download throughput (bytes/sec). <=0 disables download // throttling. double download_throughput; - // Maximal aggregated upload throughput (bytes/sec). 0 disables upload + // Maximal aggregated upload throughput (bytes/sec). <=0 disables upload // throttling. double upload_throughput; }; diff --git a/chromium/services/network/throttling/network_conditions.cc b/chromium/services/network/throttling/network_conditions.cc index 71cd4ac0e52..18b2b6e0efd 100644 --- a/chromium/services/network/throttling/network_conditions.cc +++ b/chromium/services/network/throttling/network_conditions.cc @@ -4,6 +4,8 @@ #include "services/network/throttling/network_conditions.h" +#include <algorithm> + namespace network { NetworkConditions::NetworkConditions() : NetworkConditions(false) {} @@ -16,9 +18,9 @@ NetworkConditions::NetworkConditions(bool offline, double download_throughput, double upload_throughput) : offline_(offline), - latency_(latency), - download_throughput_(download_throughput), - upload_throughput_(upload_throughput) {} + latency_(std::max(latency, 0.0)), + download_throughput_(std::max(download_throughput, 0.0)), + upload_throughput_(std::max(upload_throughput, 0.0)) {} NetworkConditions::~NetworkConditions() {} diff --git a/chromium/services/network/throttling/network_conditions.h b/chromium/services/network/throttling/network_conditions.h index 7b34446f654..2c08c88e9b5 100644 --- a/chromium/services/network/throttling/network_conditions.h +++ b/chromium/services/network/throttling/network_conditions.h @@ -28,6 +28,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkConditions { bool IsThrottling() const; bool offline() const { return offline_; } + + // These are 0 if the corresponding throttle is disabled, >0 otherwise. double latency() const { return latency_; } double download_throughput() const { return download_throughput_; } double upload_throughput() const { return upload_throughput_; } |