diff options
| author | Taylor Brandstetter <deadbeef@webrtc.org> | 2020-09-24 15:32:25 -0700 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-27 09:28:11 +0000 |
| commit | 6ef8f4ed82915703d25c80ace6148e5e1413a78e (patch) | |
| tree | 300186646961c90ba3c3e22121902eb27a78268b | |
| parent | 489d6e637e53f9293ea8cb91c045b37213455033 (diff) | |
| download | qtwebengine-chromium-6ef8f4ed82915703d25c80ace6148e5e1413a78e.tar.gz | |
[Backport] CVE-2020-15987: Use after free in WebRTC (2/2)
Partial backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/184240:
Fix for OnSctpInboundPacket being called after transport destruction.
OnSctpInboundPacket is called not only for incoming packets, but for
notifications, which can be delivered on the usrsctp timer thread.
I suspect that these notifications can be delivered after we attempt to
close the socket, because if we attempt to close it while the timer
thread holds a reference, it isn't actually destroyed until the timer
thread finishes its operation.
Bug: chromium:1127774
Change-Id: Id6a883b14796e8f5bf1c2990f3d9d389d72c8a46
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/media/sctp/sctp_transport.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc index 78bb777cfc5..80fd7317b0d 100644 --- a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc +++ b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc @@ -384,7 +384,17 @@ class SctpTransport::UsrSctpWrapper { struct sctp_rcvinfo rcv, int flags, void* ulp_info) { - SctpTransport* transport = static_cast<SctpTransport*>(ulp_info); + SctpTransport* transport = GetTransportFromSocket(sock); + if (!transport) { + RTC_LOG(LS_ERROR) + << "OnSctpInboundPacket: Failed to get transport for socket " << sock + << "; possibly was already destroyed."; + return 0; + } + // Sanity check that both methods of getting the SctpTransport pointer + // yield the same result. + RTC_CHECK_EQ(transport, static_cast<SctpTransport*>(ulp_info)); + // Post data to the transport's receiver thread (copying it). // TODO(ldixon): Unclear if copy is needed as this method is responsible for // memory cleanup. But this does simplify code. @@ -492,7 +502,7 @@ class SctpTransport::UsrSctpWrapper { if (!transport) { RTC_LOG(LS_ERROR) << "SendThresholdCallback: Failed to get transport for socket " - << sock; + << sock << "; possibly was already destroyed."; return 0; } transport->OnSendThresholdCallback(); |