Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(103)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 998173003: Fix use-after-free in WebSocketHost::AddChannel() (Closed)

Created:
5 years, 9 months ago by hiroshige
Modified:
5 years, 9 months ago
Reviewers:
Adam Rice
CC:
darin-cc_chromium.org, jam
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Fix heap-use-after-free in WebSocketHost::AddChannel() WebSocketHost can be deleted in channel_->SendAddChannelRequest() and this caused heap-use-after-free when |pending_flow_control_quota_| is accessed in WebSocketHost::AddChannel(). This CL fixes it by posting OnFlowControl() with WeakPtr instead of calling SendFlowControl() directly in WebSocketHost::AddChannel(). BUG=466335 Committed: https://crrev.com/d3a1d188162e45f75c87a218a70681c5d92139a8 Cr-Commit-Position: refs/heads/master@{#320260}

Patch Set 1 #

Patch Set 2 : #

Total comments: 4

Patch Set 3 : Comment fix. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+14 lines, -2 lines) Patch
M content/browser/renderer_host/websocket_host.cc View 1 2 2 chunks +14 lines, -2 lines 0 comments Download

Messages

Total messages: 10 (2 generated)
hiroshige
PTAL. Probably this case (https://code.google.com/p/chromium/codesearch#chromium/src/net/websockets/websocket_channel.cc&sq=package:chromium&type=cs&l=552&rcl=1426131962 is executed) doesn't occur with Blink, but seems to occur ...
5 years, 9 months ago (2015-03-12 08:11:45 UTC) #2
Adam Rice
I'm really sorry I didn't catch this problem. Please write a regression test, either in ...
5 years, 9 months ago (2015-03-12 08:27:24 UTC) #3
hiroshige
Preparing a test in another CL. https://codereview.chromium.org/998173003/diff/20001/content/browser/renderer_host/websocket_host.cc File content/browser/renderer_host/websocket_host.cc (right): https://codereview.chromium.org/998173003/diff/20001/content/browser/renderer_host/websocket_host.cc#newcode370 content/browser/renderer_host/websocket_host.cc:370: // |this| might ...
5 years, 9 months ago (2015-03-12 08:50:19 UTC) #4
Adam Rice
lgtm
5 years, 9 months ago (2015-03-12 08:55:47 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/998173003/40001
5 years, 9 months ago (2015-03-12 09:04:00 UTC) #7
commit-bot: I haz the power
Committed patchset #3 (id:40001)
5 years, 9 months ago (2015-03-12 10:11:39 UTC) #8
commit-bot: I haz the power
Patchset 3 (id:??) landed as https://crrev.com/d3a1d188162e45f75c87a218a70681c5d92139a8 Cr-Commit-Position: refs/heads/master@{#320260}
5 years, 9 months ago (2015-03-12 10:12:12 UTC) #9
hiroshige
5 years, 9 months ago (2015-03-16 10:29:07 UTC) #10
Message was sent while issue was closed. 
A revert of this CL (patchset #3 id:40001) has been created in
https://codereview.chromium.org/1006293002/ by hiroshige@chromium.org.

The reason for reverting is: Speculatively revert for https://crbug.com/467471.

Powered by Google App Engine
This is Rietveld 408576698