New issue
Advanced search Search tips

Issue 756500 link

Starred by 1 user
Status: Fixed
Owner:
rch@chromium.org
Closed: Nov 2017
Cc:
rch@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

QuicChromiumClientSession::StreamRequest can retain an invalid ptr to the underlying Stream.

Project Member Reported by xunji...@chromium.org, Aug 17 2017 
While working on  Issue 754823 , I noticed that QuicChromiumClientSession::StreamRequest can retain an invalid ptr to QuicChromiumClientStream. 

When QuicChromiumClientSession is closed, Handle::|stream_request_| is not null-ed out. If Handle were to access |stream_request_| again, we can have a use-after-free crash. This currently doesn't happen, but it'll be good to clean up the |stream_request_| (or the ptr that it retains) when Session goes away.

Comment 1 by rch@chromium.org, Aug 19 2017 

Good point! I don't think we want to null out stream_request_, because
that's what will end up invoking the callback for the caller. But instead,
we can do something simpler (and in hindsight, totally obvious). The
StreamRequest should store a Stream::Handle instead of a Stream*. This
guarantees that it will always be valid. The Stream* should have set off my
alarm bells.

I'll do the needful.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 21 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c682cae947096fff0bd2543aab031a2296770b2f

commit c682cae947096fff0bd2543aab031a2296770b2f
Author: Ryan Hamilton <rch@chromium.org>
Date: Mon Aug 21 18:07:17 2017

Store a unique_ptr<StreamHandle> instead of a Stream* in
QuicChromiumClientSession::StreamRequest to avoid use-after-free problems.

Bug:  756500 
Change-Id: Icb25981f61698dff6bf71da03625bdb00c70134d
Reviewed-on: https://chromium-review.googlesource.com/621710
Reviewed-by: Helen Li <xunjieli@chromium.org>
Commit-Queue: Ryan Hamilton <rch@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495987}
[modify] https://crrev.com/c682cae947096fff0bd2543aab031a2296770b2f/net/quic/chromium/bidirectional_stream_quic_impl.cc
[modify] https://crrev.com/c682cae947096fff0bd2543aab031a2296770b2f/net/quic/chromium/quic_chromium_client_session.cc
[modify] https://crrev.com/c682cae947096fff0bd2543aab031a2296770b2f/net/quic/chromium/quic_chromium_client_session.h
[modify] https://crrev.com/c682cae947096fff0bd2543aab031a2296770b2f/net/quic/chromium/quic_http_stream.cc

Comment 3 by rch@chromium.org, Nov 10 2017

Owner: rch@chromium.org
Status: Fixed (was: Untriaged)

Sign in to add a comment