Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c458fe1b1cc2ad4e829eee311226fc057508d2d6
https://github.com/WebKit/WebKit/commit/c458fe1b1cc2ad4e829eee311226fc057508d2d6
Author: Youenn Fablet <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/webrtc/p2p/base/packet_transport_internal.cc
M
Source/ThirdParty/libwebrtc/Source/webrtc/p2p/base/packet_transport_internal.h
M Source/ThirdParty/libwebrtc/Source/webrtc/p2p/dtls/dtls_transport.cc
Log Message:
-----------
[WebRTC] Heap-use-after-free in `DtlsTransportInternalImpl` when RTCP-mux is
negotiated after initial non-mux session
rdar://173510839
Reviewed by Jer Noble.
DTLSTransport is not unregistering itself from receive/send callbacks, which
can trigger a a UAF.
We fix this by adding API to register/unregister a specific listener, and use
that API in DtlsTransportInternalImpl destructor and in
DtlsTransportInternalImpl::ConnectToIceTransport
We manually validated the fix using a specific STUN server.
We should upgrade our testing infra to support running the test with the STUN
server.
Originally-landed-as: 305413.603@rapid/safari-7624.2.5.110-branch
(5112c9dc3525). rdar://176062217
Canonical link: https://commits.webkit.org/315000@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
