[webkit-changes] [WebKit/WebKit] 9db086: out-of-bounds memory access in rtc::SocketAddress:...
youennf
noreply at github.com
Thu Aug 15 12:11:55 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9db08685b5353a00949e2564fd1006b8491f815d
https://github.com/WebKit/WebKit/commit/9db08685b5353a00949e2564fd1006b8491f815d
Author: Youenn Fablet <youenn at apple.com>
Date: 2024-08-15 (Thu, 15 Aug 2024)
Changed paths:
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.mm
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.mm
Log Message:
-----------
out-of-bounds memory access in rtc::SocketAddress::SetPort
rdar://126281456
Reviewed by Alex Christensen.
Creating two sockets with the same identifier will destroy the second one without closing it properly.
We exit early in case we detect redundant identifiers, we do not use MESSAGE_CHECK as we are processing the messages in a RTC thread.
We add some additional ASSERTS to ensure the model is right.
We fix the underlying weakness of not calling close in NetworkRTCUDPSocketCocoa by making NetworkRTCUDPSocketCocoaConnections a threadsafe weak ptr and using this weak pointer for setting the port.
Test that covers the change is in the attached patch to rdar://126281456.
It does not run on the beanch since the branch does not have all the test infra.
* LayoutTests/ipc/network-rtc-provider-crash-expected.txt: Added.
* LayoutTests/ipc/network-rtc-provider-crash.html: Added.
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp:
(WebKit::NetworkRTCProvider::createUDPSocket):
(WebKit::NetworkRTCProvider::createClientTCPSocket):
(WebKit::NetworkRTCProvider::addSocket):
(WebKit::NetworkRTCProvider::doSocketTaskOnRTCNetworkThread): Deleted.
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.mm:
(WebKit::NetworkRTCTCPSocketCocoa::~NetworkRTCTCPSocketCocoa):
(WebKit::NetworkRTCTCPSocketCocoa::close):
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.mm:
(WebKit::NetworkRTCUDPSocketCocoaConnections::NetworkRTCUDPSocketCocoaConnections):
(WebKit::NetworkRTCUDPSocketCocoaConnections::~NetworkRTCUDPSocketCocoaConnections):
(WebKit::NetworkRTCUDPSocketCocoa::setListeningPort): Deleted.
Originally-landed-as: 272448.1028 at safari-7618-branch (5cec99ca58dc). rdar://132958710
Canonical link: https://commits.webkit.org/282300@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list