diff options
author | Jaroslav Sevcik <jarin@chromium.org> | 2022-03-09 09:20:01 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-20 15:34:06 +0000 |
commit | acde086abfa804917448d8e3bdca470917d0e658 (patch) | |
tree | 6dc866bd990c94b062d65aded955ca0f0b15fda3 | |
parent | ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (diff) | |
download | qtwebengine-chromium-acde086abfa804917448d8e3bdca470917d0e658.tar.gz |
[Backport] CVE-2022-1493: Use after free in Dev Tools
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3510307:
Use weak pointers for devtools http server handlers
This makes sure that we do not call HttpServer message handlers
on a deallocated HttpServer instance.
Interestingly, the weak pointer factory was already there, but
it was unused.
Bug: chromium:1275414
Change-Id: Ic0c33319bb3e67e3c15349d07acbaad64a7f62e3
Reviewed-by: Robbie McElrath <rmcelrath@chromium.org>
Reviewed-by: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#979140}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/services/network/public/cpp/server/http_server.cc | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/chromium/services/network/public/cpp/server/http_server.cc b/chromium/services/network/public/cpp/server/http_server.cc index f390f38a2d2..a2cb2534f6c 100644 --- a/chromium/services/network/public/cpp/server/http_server.cc +++ b/chromium/services/network/public/cpp/server/http_server.cc @@ -105,8 +105,8 @@ void HttpServer::SendRaw(int connection_id, connection->write_watcher().Watch( connection->send_handle(), MOJO_HANDLE_SIGNAL_WRITABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED, - base::BindRepeating(&HttpServer::OnWritable, base::Unretained(this), - connection->id())); + base::BindRepeating(&HttpServer::OnWritable, + weak_ptr_factory_.GetWeakPtr(), connection->id())); } } @@ -180,9 +180,9 @@ bool HttpServer::SetSendBufferSize(int connection_id, int32_t size) { } void HttpServer::DoAcceptLoop() { - server_socket_->Accept( - mojo::NullRemote(), /* observer */ - base::BindOnce(&HttpServer::OnAcceptCompleted, base::Unretained(this))); + server_socket_->Accept(mojo::NullRemote(), /* observer */ + base::BindOnce(&HttpServer::OnAcceptCompleted, + weak_ptr_factory_.GetWeakPtr())); } void HttpServer::OnAcceptCompleted( @@ -210,8 +210,8 @@ void HttpServer::OnAcceptCompleted( connection->receive_handle(), MOJO_HANDLE_SIGNAL_READABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED, MOJO_TRIGGER_CONDITION_SIGNALS_SATISFIED, - base::BindRepeating(&HttpServer::OnReadable, base::Unretained(this), - connection->id())); + base::BindRepeating(&HttpServer::OnReadable, + weak_ptr_factory_.GetWeakPtr(), connection->id())); } DoAcceptLoop(); |