Changeset 219514 in webkit


Ignore:
Timestamp:
Jul 14, 2017, 11:55:40 AM (8 years ago)
Author:
Chris Dumez
Message:

Potential null-dereference under NetworkRTCProvider::resolvedName()
https://bugs.webkit.org/show_bug.cgi?id=174507
<rdar://problem/32597868>

Reviewed by Youenn Fablet.

NetworkRTCProvider::resolvedName() could do a null dereference of m_connection
because m_connection is nullified in NetworkRTCProvider::close() but resolvers
were only closed later on in the NetworkRTCProvider destructor.

To address the issue, we now stop DNS resolvers earlier, in NetworkRTCProvider::close().
Also fix unsafe modification of m_resolvers HashMap when iterating over it.

  • NetworkProcess/webrtc/NetworkRTCProvider.cpp:

(WebKit::NetworkRTCProvider::~NetworkRTCProvider):
(WebKit::NetworkRTCProvider::close):
(WebKit::NetworkRTCProvider::Resolver::~Resolver):
(WebKit::NetworkRTCProvider::stopResolver):

Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r219511 r219514  
     12017-07-14  Chris Dumez  <cdumez@apple.com>
     2
     3        Potential null-dereference under NetworkRTCProvider::resolvedName()
     4        https://bugs.webkit.org/show_bug.cgi?id=174507
     5        <rdar://problem/32597868>
     6
     7        Reviewed by Youenn Fablet.
     8
     9        NetworkRTCProvider::resolvedName() could do a null dereference of m_connection
     10        because m_connection is nullified in NetworkRTCProvider::close() but resolvers
     11        were only closed later on in the NetworkRTCProvider destructor.
     12
     13        To address the issue, we now stop DNS resolvers earlier, in NetworkRTCProvider::close().
     14        Also fix unsafe modification of m_resolvers HashMap when iterating over it.
     15
     16        * NetworkProcess/webrtc/NetworkRTCProvider.cpp:
     17        (WebKit::NetworkRTCProvider::~NetworkRTCProvider):
     18        (WebKit::NetworkRTCProvider::close):
     19        (WebKit::NetworkRTCProvider::Resolver::~Resolver):
     20        (WebKit::NetworkRTCProvider::stopResolver):
     21
    1222017-07-14  Youenn Fablet  <youenn@apple.com>
    223

  • trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp

    r219328 r219514  
    7070    ASSERT(!m_sockets.size());
    7171    ASSERT(!m_rtcMonitor.isStarted());
    72 
    73     for (auto identifier : m_resolvers.keys())
    74         stopResolver(identifier);
    7572}
    7673
    7774void NetworkRTCProvider::close()
    7875{
     76    // Cancel all pending DNS resolutions.
     77    while (!m_resolvers.isEmpty())
     78        stopResolver(*m_resolvers.keys().begin());
     79
    7980    m_connection = nullptr;
    8081    m_rtcMonitor.stopUpdating();
     
    185186void NetworkRTCProvider::stopResolver(uint64_t identifier)
    186187{
    187     auto resolver = m_resolvers.take(identifier);
    188     if (resolver)
     188    ASSERT(identifier);
     189    if (auto resolver = m_resolvers.take(identifier))
    189190        CFHostCancelInfoResolution(resolver->host.get(), CFHostInfoType::kCFHostAddresses);
    190191}
Note: See TracChangeset for help on using the changeset viewer.