From 9c908e9c9f81ae234795c4f6350920d55132b998 Mon Sep 17 00:00:00 2001 From: Maks Orlovich Date: Tue, 22 Nov 2022 22:18:55 +0000 Subject: [Backport] CVE-2023-0129: Heap buffer overflow in Network Service Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4048289: Align NetworkContext::SetNetworkConditions better with devtools emulateNetworkConditions The former used values of 0 to disable particular throttles, while the later documents -1, and looks to be pretty much a direct client, and the only one. So make NetworkService handle everything <= 0 as a disable, clamping at intake of config. Bug: 1382033 (cherry picked from commit ce463c2c939818a12bbcec5e2c91c35f2a0a1f0e) Change-Id: I2fd3f075d5071cb0cf647838782115b5c00405bf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4035891 Reviewed-by: Ken Buchanan Reviewed-by: Eric Orth Commit-Queue: Maks Orlovich Cr-Original-Commit-Position: refs/heads/main@{#1073566} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4048289 Cr-Commit-Position: refs/branch-heads/5414@{#188} Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/454382 Reviewed-by: Allan Sandfeld Jensen --- chromium/services/network/public/mojom/network_context.mojom | 4 ++-- chromium/services/network/throttling/network_conditions.cc | 8 +++++--- chromium/services/network/throttling/network_conditions.h | 2 ++ 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/chromium/services/network/public/mojom/network_context.mojom b/chromium/services/network/public/mojom/network_context.mojom index 7a5ed4b72e1..04f9bf2a6c2 100644 --- a/chromium/services/network/public/mojom/network_context.mojom +++ b/chromium/services/network/public/mojom/network_context.mojom @@ -483,11 +483,11 @@ struct NetworkConditions { // response received. mojo_base.mojom.TimeDelta latency; - // Maximal aggregated download throughput (bytes/sec). 0 disables download + // Maximal aggregated download throughput (bytes/sec). <=0 disables download // throttling. double download_throughput; - // Maximal aggregated upload throughput (bytes/sec). 0 disables upload + // Maximal aggregated upload throughput (bytes/sec). <=0 disables upload // throttling. double upload_throughput; }; diff --git a/chromium/services/network/throttling/network_conditions.cc b/chromium/services/network/throttling/network_conditions.cc index 71cd4ac0e52..18b2b6e0efd 100644 --- a/chromium/services/network/throttling/network_conditions.cc +++ b/chromium/services/network/throttling/network_conditions.cc @@ -4,6 +4,8 @@ #include "services/network/throttling/network_conditions.h" +#include + namespace network { NetworkConditions::NetworkConditions() : NetworkConditions(false) {} @@ -16,9 +18,9 @@ NetworkConditions::NetworkConditions(bool offline, double download_throughput, double upload_throughput) : offline_(offline), - latency_(latency), - download_throughput_(download_throughput), - upload_throughput_(upload_throughput) {} + latency_(std::max(latency, 0.0)), + download_throughput_(std::max(download_throughput, 0.0)), + upload_throughput_(std::max(upload_throughput, 0.0)) {} NetworkConditions::~NetworkConditions() {} diff --git a/chromium/services/network/throttling/network_conditions.h b/chromium/services/network/throttling/network_conditions.h index 7b34446f654..2c08c88e9b5 100644 --- a/chromium/services/network/throttling/network_conditions.h +++ b/chromium/services/network/throttling/network_conditions.h @@ -28,6 +28,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkConditions { bool IsThrottling() const; bool offline() const { return offline_; } + + // These are 0 if the corresponding throttle is disabled, >0 otherwise. double latency() const { return latency_; } double download_throughput() const { return download_throughput_; } double upload_throughput() const { return upload_throughput_; } -- cgit v1.2.1