Fixes use-after-free with Server Migration

net/quic/chromium/quic_stream_factory.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/chromium/quic_stream_factory.h"
 
 #include <openssl/aead.h>
 
 #include <algorithm>
 #include <tuple>
@@ skipping 1244 matching lines @@
     // Track sessions which have recently gone away so that we can disable
     // port suggestions.
     if (session->goaway_received())
       gone_away_aliases_.insert(*it);
 
     active_sessions_.erase(server_id);
     ProcessGoingAwaySession(session, server_id, true);
   }
   ProcessGoingAwaySession(session, all_sessions_[session].server_id(), false);
   if (!aliases.empty()) {
-    const IPEndPoint peer_address = session->connection()->peer_address();
+    DCHECK(base::ContainsKey(session_peer_ip_, session));
+    const IPEndPoint peer_address = session_peer_ip_[session];
     ip_aliases_[peer_address].erase(session);
     if (ip_aliases_[peer_address].empty())
       ip_aliases_.erase(peer_address);
+    session_peer_ip_.erase(session);
+    DVLOG(1) << "Deleted from ip_aliases_ map: "
+             << peer_address.address().ToString();

[Ryan Hamilton, 2016/08/25 19:29:59]

nit: I think you can remove this logging since I doubt it'll be useful later.
But feel free to keep it if you like.

[Jana, 2016/08/25 21:41:26]

Meh. I wasn't sure, but I thought it might be useful. Removed.

   }
   session_aliases_.erase(session);
 }
 
 void QuicStreamFactory::MaybeDisableQuic(QuicChromiumClientSession* session) {
   DCHECK(session);
   uint16_t port = session->server_id().port();
   if (IsQuicDisabled(port))
     return;
 
@@ skipping 591 matching lines @@
 void QuicStreamFactory::ActivateSession(const QuicSessionKey& key,
                                         QuicChromiumClientSession* session) {
   const QuicServerId& server_id(key.server_id());
   DCHECK(!HasActiveSession(server_id));
   UMA_HISTOGRAM_COUNTS("Net.QuicActiveSessions", active_sessions_.size());
   active_sessions_[server_id] = session;
   session_aliases_[session].insert(key);
   const IPEndPoint peer_address = session->connection()->peer_address();
   DCHECK(!base::ContainsKey(ip_aliases_[peer_address], session));
   ip_aliases_[peer_address].insert(session);
+  DCHECK(!base::ContainsKey(session_peer_ip_, session));
+  session_peer_ip_[session] = peer_address;
 }
 
 int64_t QuicStreamFactory::GetServerNetworkStatsSmoothedRttInMicroseconds(
     const QuicServerId& server_id) const {
   url::SchemeHostPort server("https", server_id.host_port_pair().host(),
                              server_id.host_port_pair().port());
   const ServerNetworkStats* stats =
       http_server_properties_->GetServerNetworkStats(server);
   if (stats == nullptr)
     return 0;
@@ skipping 152 matching lines @@
   // Since the session was active, there's no longer an
   // HttpStreamFactoryImpl::Job running which can mark it broken, unless the TCP
   // job also fails. So to avoid not using QUIC when we otherwise could, we mark
   // it as recently broken, which means that 0-RTT will be disabled but we'll
   // still race.
   http_server_properties_->MarkAlternativeServiceRecentlyBroken(
       alternative_service);
 }
 
 }  // namespace net