[webkit-changes] [264909] trunk/Source/WebKit

Mon, 27 Jul 2020 00:50:23 -0700

Title: [264909] trunk/Source/WebKit
Revision
264909
Author
you...@apple.com
Date
2020-07-27 00:49:27 -0700 (Mon, 27 Jul 2020)

Log Message

Fix null pointer crash in NetworkRTCProvider::createServerTCPSocket
https://bugs.webkit.org/show_bug.cgi?id=214796

Reviewed by Darin Adler.

In case of creating a TCP socket, NetworkRTCProvider will hop to the main thread before creating the socket.
In that case, NetworkRTCProvider may actually be closed between the time of receiving the message and hoping to the main thread.
Protect from this by adding nullptr checks.

* NetworkProcess/webrtc/NetworkRTCProvider.cpp:
(WebKit::NetworkRTCProvider::createServerTCPSocket):
(WebKit::NetworkRTCProvider::createClientTCPSocket):

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (264908 => 264909)


--- trunk/Source/WebKit/ChangeLog	2020-07-27 02:03:46 UTC (rev 264908)
+++ trunk/Source/WebKit/ChangeLog	2020-07-27 07:49:27 UTC (rev 264909)
@@ -1,3 +1,18 @@
+2020-07-27  Youenn Fablet  <you...@apple.com>
+
+        Fix null pointer crash in NetworkRTCProvider::createServerTCPSocket
+        https://bugs.webkit.org/show_bug.cgi?id=214796
+
+        Reviewed by Darin Adler.
+
+        In case of creating a TCP socket, NetworkRTCProvider will hop to the main thread before creating the socket.
+        In that case, NetworkRTCProvider may actually be closed between the time of receiving the message and hoping to the main thread.
+        Protect from this by adding nullptr checks.
+
+        * NetworkProcess/webrtc/NetworkRTCProvider.cpp:
+        (WebKit::NetworkRTCProvider::createServerTCPSocket):
+        (WebKit::NetworkRTCProvider::createClientTCPSocket):
+
 2020-07-25  Simon Fraser  <simon.fra...@apple.com>
 
         Scroll Snap broken when using RTL layout

Modified: trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp (264908 => 264909)


--- trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp	2020-07-27 02:03:46 UTC (rev 264908)
+++ trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp	2020-07-27 07:49:27 UTC (rev 264909)
@@ -140,13 +140,15 @@
 {
     ASSERT(m_rtcNetworkThread.IsCurrent());
     callOnMainThread([this, protectedThis = makeRef(*this), identifier, address, minPort, maxPort, options] {
+        if (!m_connection)
+            return;
+
         if (!m_isListeningSocketAuthorized) {
-            if (m_connection)
-                m_connection->connection().send(Messages::LibWebRTCNetwork::SignalClose(identifier, 1), 0);
+            m_connection->connection().send(Messages::LibWebRTCNetwork::SignalClose(identifier, 1), 0);
             return;
         }
 
-        callOnRTCNetworkThread([this, identifier, address = RTCNetwork::isolatedCopy(address.value), minPort, maxPort, options, connection = makeRef(m_connection->connection())]() mutable {
+        callOnRTCNetworkThread([this, identifier, address = RTCNetwork::isolatedCopy(address.value), minPort, maxPort, options]() mutable {
             std::unique_ptr<rtc::AsyncPacketSocket> socket(m_packetSocketFactory->CreateServerTcpSocket(address, minPort, maxPort, options));
             createSocket(identifier, WTFMove(socket), Socket::Type::ServerTCP, m_ipcConnection.copyRef());
         });
@@ -163,12 +165,15 @@
 void NetworkRTCProvider::createClientTCPSocket(LibWebRTCSocketIdentifier identifier, const RTCNetwork::SocketAddress& localAddress, const RTCNetwork::SocketAddress& remoteAddress, String&& userAgent, int options)
 {
     callOnMainThread([this, protectedThis = makeRef(*this), identifier, localAddress, remoteAddress, userAgent = WTFMove(userAgent).isolatedCopy(), options]() mutable {
+        if (!m_connection)
+            return;
+
         auto* session = m_connection->networkSession();
         if (!session) {
             m_connection->connection().send(Messages::LibWebRTCNetwork::SignalClose(identifier, 1), 0);
             return;
         }
-        callOnRTCNetworkThread([this, identifier, localAddress = RTCNetwork::isolatedCopy(localAddress.value), remoteAddress = RTCNetwork::isolatedCopy(remoteAddress.value), proxyInfo = proxyInfoFromSession(remoteAddress, *session), userAgent = WTFMove(userAgent).isolatedCopy(), options, connection = makeRef(m_connection->connection())]() mutable {
+        callOnRTCNetworkThread([this, identifier, localAddress = RTCNetwork::isolatedCopy(localAddress.value), remoteAddress = RTCNetwork::isolatedCopy(remoteAddress.value), proxyInfo = proxyInfoFromSession(remoteAddress, *session), userAgent = WTFMove(userAgent).isolatedCopy(), options]() mutable {
             rtc::PacketSocketTcpOptions tcpOptions;
             tcpOptions.opts = options;
             std::unique_ptr<rtc::AsyncPacketSocket> socket(m_packetSocketFactory->CreateClientTcpSocket(localAddress, remoteAddress, proxyInfo, userAgent.utf8().data(), tcpOptions));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to