diff options
| author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-12 14:47:49 +0200 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-21 12:12:21 +0000 |
| commit | 308da5d58b459b0f377dcf9e577d1e29111437da (patch) | |
| tree | ed39bce7a4dc9ad18772e5a7e433ca0aae044d24 | |
| parent | cc1e87a0d71b40a2081bc54d2853a699e342fbf6 (diff) | |
| download | qtwebengine-chromium-308da5d58b459b0f377dcf9e577d1e29111437da.tar.gz | |
[Backport] CVE-2020-15969: Use after free in WebRTC.
Manual backport of patch originally committed on
https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019:
Fix a use-after-free bug for the userland stack.
Thanks to Mark Wodrich from Google for finding and reporting the
bug.
Cherry pick fix for usrsctp UAF bug to M86.
The commit being cherry picked is:
https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019
TBR=hta@chromium.org
Bug: chromium:1124659
Change-Id: I229c8a01fd051b1dfe499a609f72484ce7611af3
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 0f55630c2f4e811da4e674b217add4d8022efcac)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rwxr-xr-x | chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_indata.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_indata.c b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_indata.c index 8b332355a5b..38e1a9196f5 100755 --- a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_indata.c +++ b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_indata.c @@ -1694,6 +1694,7 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc, int *break_flag, int last_chunk, uint8_t chk_type) { struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */ + struct sctp_stream_in *strm; uint32_t tsn, fsn, gap, mid; struct mbuf *dmbuf; int the_len; @@ -2329,12 +2330,13 @@ finish_express_del: /* All can be removed */ TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) { TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); + strm = &asoc->strmin[control->sinfo_stream]; sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); if (*abort_flag) { return (0); } if (need_reasm_check) { - (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); + (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD); need_reasm_check = 0; } } @@ -2349,12 +2351,13 @@ finish_express_del: * control->sinfo_tsn > liste->tsn */ TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); + strm = &asoc->strmin[control->sinfo_stream]; sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); if (*abort_flag) { return (0); } if (need_reasm_check) { - (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); + (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD); need_reasm_check = 0; } } |