Issue 1932653002: Fixes use-after-free bug in QUIC.

Issue 1932653002: Fixes use-after-free bug in QUIC. (Closed)

Created:
4 years, 7 months ago by Jana

Modified:
4 years, 7 months ago

Reviewers:
Ryan Hamilton

CC:
chromium-reviews, cbentzel+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Fixes use-after-free bug in QUIC. QuicSession destructor ends up calling the QuicSpdyStream destructor, which in turn tries to access a QuicSession method via a non-owning pointer back to the session. This CL arranges for the non-owning pointer to be set to null before QuicSpdyStream destructor is called. Merge Internal CL: 120973813 Creates a MockQuicSession for use in ReliableQuicStreamTest, which currently incorrectly uses a MockQuicSpdySession. The test class being fixed in this CL uses a MockQuicSpdySession, which is a QuicSpdySession, with TestStreams, which are ReliableQuicStreams. Bad things can happen since QuicSpdySession seems to freely assume that its streams are QuicSpdyStreams. Bad things do happen, but they inexplicably seem to show up only in Chromium tests. Merge Internal CL: 120989117 BUG=605474 Committed: https://crrev.com/4ee9d76953f16811186942971822cf12d48db7ae Cr-Commit-Position: refs/heads/master@{#390575}

Patch Set 1 #

Created: 4 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+105 lines, -12 lines)			Patch
M	net/quic/quic_session_test.cc	View	1 chunk	+1 line, -1 line	0 comments	Download
M	net/quic/quic_spdy_session.cc	View	1 chunk	+10 lines, -1 line	0 comments	Download
M	net/quic/quic_spdy_stream.h	View	1 chunk	+4 lines, -0 lines	0 comments	Download
M	net/quic/quic_spdy_stream.cc	View	2 chunks	+8 lines, -1 line	0 comments	Download
M	net/quic/reliable_quic_stream_test.cc	View	3 chunks	+3 lines, -3 lines	0 comments	Download
M	net/quic/test_tools/quic_session_peer.h	View	1 chunk	+0 lines, -1 line	0 comments	Download
M	net/quic/test_tools/quic_session_peer.cc	View	1 chunk	+0 lines, -5 lines	0 comments	Download
M	net/quic/test_tools/quic_test_utils.h	View	1 chunk	+59 lines, -0 lines	0 comments	Download
M	net/quic/test_tools/quic_test_utils.cc	View	1 chunk	+20 lines, -0 lines	0 comments	Download

Messages

Total messages: 12 (7 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Ryan Hamilton

lgtm, but please include the internal CL numbers in the CL description

4 years, 7 months ago (2016-04-28 19:04:00 UTC) #4

Jana

Description was changed from ========== Fixes use-after-free bug in QUIC. QuicSession destructor ends up calling ...

4 years, 7 months ago (2016-04-29 01:01:30 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1932653002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1932653002/1

4 years, 7 months ago (2016-04-29 01:03:24 UTC) #8

commit-bot: I haz the power

Description was changed from ========== Fixes use-after-free bug in QUIC. QuicSession destructor ends up calling ...

4 years, 7 months ago (2016-04-29 02:04:44 UTC) #9

commit-bot: I haz the power

4 years, 7 months ago (2016-04-30 17:23:50 UTC) #11

Message was sent while issue was closed.

Patchset 1 (id:??) landed as
https://crrev.com/4ee9d76953f16811186942971822cf12d48db7ae
Cr-Commit-Position: refs/heads/master@{#390575}

commit-bot: I haz the power

4 years, 7 months ago (2016-04-30 17:59:05 UTC) #12

Message was sent while issue was closed.

Description was changed from

==========
Fixes use-after-free bug in QUIC.

QuicSession destructor ends up calling the QuicSpdyStream destructor, which in
turn tries to access a QuicSession method via a non-owning pointer back to the
session. This CL arranges for the non-owning pointer to be set to null before
QuicSpdyStream destructor is called.

Merge Internal CL: 120973813

Creates a MockQuicSession for use in ReliableQuicStreamTest, which currently
incorrectly uses a MockQuicSpdySession.

The test class being fixed in this CL uses a MockQuicSpdySession, which is a
QuicSpdySession, with TestStreams, which are ReliableQuicStreams. Bad things can
happen since QuicSpdySession seems to freely assume that its streams are
QuicSpdyStreams. Bad things do happen, but they inexplicably seem to show up
only in Chromium tests.

Merge Internal CL: 120989117

BUG=605474
==========

to

==========
Fixes use-after-free bug in QUIC.

QuicSession destructor ends up calling the QuicSpdyStream destructor, which in
turn tries to access a QuicSession method via a non-owning pointer back to the
session. This CL arranges for the non-owning pointer to be set to null before
QuicSpdyStream destructor is called.

Merge Internal CL: 120973813

Creates a MockQuicSession for use in ReliableQuicStreamTest, which currently
incorrectly uses a MockQuicSpdySession.

The test class being fixed in this CL uses a MockQuicSpdySession, which is a
QuicSpdySession, with TestStreams, which are ReliableQuicStreams. Bad things can
happen since QuicSpdySession seems to freely assume that its streams are
QuicSpdyStreams. Bad things do happen, but they inexplicably seem to show up
only in Chromium tests.

Merge Internal CL: 120989117

BUG=605474

Committed: https://crrev.com/4ee9d76953f16811186942971822cf12d48db7ae
Cr-Commit-Position: refs/heads/master@{#390575}
==========

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages