Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(456)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/renderer_host/websocket_host.cc

Issue 998173003: Fix use-after-free in WebSocketHost::AddChannel() (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Comment fix. Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/renderer_host/websocket_host.h" 5 #include "content/browser/renderer_host/websocket_host.h"
6 6
7 #include "base/basictypes.h" 7 #include "base/basictypes.h"
8 #include "base/memory/weak_ptr.h" 8 #include "base/memory/weak_ptr.h"
9 #include "base/strings/string_util.h" 9 #include "base/strings/string_util.h"
10 #include "content/browser/renderer_host/websocket_dispatcher_host.h" 10 #include "content/browser/renderer_host/websocket_dispatcher_host.h"
(...skipping 349 matching lines...) Expand 10 before | Expand all | Expand 10 after
360 base::Bind(&WebSocketHost::AddChannel, 360 base::Bind(&WebSocketHost::AddChannel,
361 weak_ptr_factory_.GetWeakPtr(), 361 weak_ptr_factory_.GetWeakPtr(),
362 socket_url, 362 socket_url,
363 requested_protocols, 363 requested_protocols,
364 origin, 364 origin,
365 render_frame_id), 365 render_frame_id),
366 delay_); 366 delay_);
367 } else { 367 } else {
368 AddChannel(socket_url, requested_protocols, origin, render_frame_id); 368 AddChannel(socket_url, requested_protocols, origin, render_frame_id);
369 } 369 }
370 // |this| may have been deleted here.
370 } 371 }
371 372
372 void WebSocketHost::AddChannel( 373 void WebSocketHost::AddChannel(
373 const GURL& socket_url, 374 const GURL& socket_url,
374 const std::vector<std::string>& requested_protocols, 375 const std::vector<std::string>& requested_protocols,
375 const url::Origin& origin, 376 const url::Origin& origin,
376 int render_frame_id) { 377 int render_frame_id) {
377 DVLOG(3) << "WebSocketHost::AddChannel" 378 DVLOG(3) << "WebSocketHost::AddChannel"
378 << " routing_id=" << routing_id_ << " socket_url=\"" << socket_url 379 << " routing_id=" << routing_id_ << " socket_url=\"" << socket_url
379 << "\" requested_protocols=\"" 380 << "\" requested_protocols=\""
380 << JoinString(requested_protocols, ", ") << "\" origin=\"" 381 << JoinString(requested_protocols, ", ") << "\" origin=\""
381 << origin.string() << "\""; 382 << origin.string() << "\"";
382 383
383 DCHECK(!channel_); 384 DCHECK(!channel_);
384 385
385 scoped_ptr<net::WebSocketEventInterface> event_interface( 386 scoped_ptr<net::WebSocketEventInterface> event_interface(
386 new WebSocketEventHandler(dispatcher_, routing_id_, render_frame_id)); 387 new WebSocketEventHandler(dispatcher_, routing_id_, render_frame_id));
387 channel_.reset( 388 channel_.reset(
388 new net::WebSocketChannel(event_interface.Pass(), url_request_context_)); 389 new net::WebSocketChannel(event_interface.Pass(), url_request_context_));
389 channel_->SendAddChannelRequest(socket_url, requested_protocols, origin);
390 390
391 if (pending_flow_control_quota_ > 0) { 391 if (pending_flow_control_quota_ > 0) {
392 channel_->SendFlowControl(pending_flow_control_quota_); 392 // channel_->SendFlowControl(pending_flow_control_quota_) must be called
393 // after channel_->SendAddChannelRequest() below.
394 // We post OnFlowControl() here using |weak_ptr_factory_| instead of
395 // calling SendFlowControl directly, because |this| may have been deleted
396 // after channel_->SendAddChannelRequest().
397 base::MessageLoop::current()->PostTask(
398 FROM_HERE,
399 base::Bind(&WebSocketHost::OnFlowControl,
400 weak_ptr_factory_.GetWeakPtr(),
401 pending_flow_control_quota_));
393 pending_flow_control_quota_ = 0; 402 pending_flow_control_quota_ = 0;
394 } 403 }
404
405 channel_->SendAddChannelRequest(socket_url, requested_protocols, origin);
406 // |this| may have been deleted here.
395 } 407 }
396 408
397 void WebSocketHost::OnSendFrame(bool fin, 409 void WebSocketHost::OnSendFrame(bool fin,
398 WebSocketMessageType type, 410 WebSocketMessageType type,
399 const std::vector<char>& data) { 411 const std::vector<char>& data) {
400 DVLOG(3) << "WebSocketHost::OnSendFrame" 412 DVLOG(3) << "WebSocketHost::OnSendFrame"
401 << " routing_id=" << routing_id_ << " fin=" << fin 413 << " routing_id=" << routing_id_ << " fin=" << fin
402 << " type=" << type << " data is " << data.size() << " bytes"; 414 << " type=" << type << " data is " << data.size() << " bytes";
403 415
404 DCHECK(channel_); 416 DCHECK(channel_);
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
437 ""); 449 "");
438 DCHECK_EQ(WebSocketDispatcherHost::WEBSOCKET_HOST_DELETED, result); 450 DCHECK_EQ(WebSocketDispatcherHost::WEBSOCKET_HOST_DELETED, result);
439 return; 451 return;
440 } 452 }
441 453
442 // TODO(yhirano): Handle |was_clean| appropriately. 454 // TODO(yhirano): Handle |was_clean| appropriately.
443 channel_->StartClosingHandshake(code, reason); 455 channel_->StartClosingHandshake(code, reason);
444 } 456 }
445 457
446 } // namespace content 458 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698