Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(577)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/client_socket_pool_base.cc

Issue 9226011: Fix a use-after free in socket pool which can happen after reaching the maxium number of sockets. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master
Patch Set: Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/client_socket_pool_base.h" 5 #include "net/socket/client_socket_pool_base.h"
6 6
7 #include <math.h> 7 #include <math.h>
8 #include "base/compiler_specific.h" 8 #include "base/compiler_specific.h"
9 #include "base/debug/alias.h" 9 #include "base/debug/alias.h"
10 #include "base/format_macros.h" 10 #include "base/format_macros.h"
(...skipping 368 matching lines...) Expand 10 before | Expand all | Expand 10 after
379 do { 379 do {
380 if (!CloseOneIdleConnectionInLayeredPool()) { 380 if (!CloseOneIdleConnectionInLayeredPool()) {
381 // We could check if we really have a stalled group here, but it 381 // We could check if we really have a stalled group here, but it
382 // requires a scan of all groups, so just flip a flag here, and do 382 // requires a scan of all groups, so just flip a flag here, and do
383 // the check later. 383 // the check later.
384 request->net_log().AddEvent( 384 request->net_log().AddEvent(
385 NetLog::TYPE_SOCKET_POOL_STALLED_MAX_SOCKETS, NULL); 385 NetLog::TYPE_SOCKET_POOL_STALLED_MAX_SOCKETS, NULL);
386 return ERR_IO_PENDING; 386 return ERR_IO_PENDING;
387 } 387 }
388 } while (ReachedMaxSocketsLimit()); 388 } while (ReachedMaxSocketsLimit());
389
390 // It is possible that CloseOneIdleConnectionInLayeredPool() has deleted
391 // our Group (see http://crbug.com/109876), so look it up again
392 // to be safe.
393 group = GetOrCreateGroup(group_name);
389 } 394 }
390 } 395 }
391 396
392 // We couldn't find a socket to reuse, and there's space to allocate one, 397 // We couldn't find a socket to reuse, and there's space to allocate one,
393 // so allocate and connect a new one. 398 // so allocate and connect a new one.
394 scoped_ptr<ConnectJob> connect_job( 399 scoped_ptr<ConnectJob> connect_job(
395 connect_job_factory_->NewConnectJob(group_name, *request, this)); 400 connect_job_factory_->NewConnectJob(group_name, *request, this));
396 401
397 connect_job->Initialize(preconnecting); 402 connect_job->Initialize(preconnecting);
398 int rv = connect_job->Connect(); 403 int rv = connect_job->Connect();
(...skipping 857 matching lines...) Expand 10 before | Expand all | Expand 10 after
1256 } 1261 }
1257 1262
1258 } // namespace internal 1263 } // namespace internal
1259 1264
1260 } // namespace net 1265 } // namespace net
1261 1266
1262 // Restore default optimization settings. 1267 // Restore default optimization settings.
1263 #if defined(COMPILER_MSVC) 1268 #if defined(COMPILER_MSVC)
1264 #pragma optimize("", on) 1269 #pragma optimize("", on)
1265 #endif 1270 #endif
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698