Title: [219514] trunk/Source/WebKit
- Revision
- 219514
- Author
- [email protected]
- Date
- 2017-07-14 11:55:40 -0700 (Fri, 14 Jul 2017)
Log Message
Potential null-dereference under NetworkRTCProvider::resolvedName()
https://bugs.webkit.org/show_bug.cgi?id=174507
<rdar://problem/32597868>
Reviewed by Youenn Fablet.
NetworkRTCProvider::resolvedName() could do a null dereference of m_connection
because m_connection is nullified in NetworkRTCProvider::close() but resolvers
were only closed later on in the NetworkRTCProvider destructor.
To address the issue, we now stop DNS resolvers earlier, in NetworkRTCProvider::close().
Also fix unsafe modification of m_resolvers HashMap when iterating over it.
* NetworkProcess/webrtc/NetworkRTCProvider.cpp:
(WebKit::NetworkRTCProvider::~NetworkRTCProvider):
(WebKit::NetworkRTCProvider::close):
(WebKit::NetworkRTCProvider::Resolver::~Resolver):
(WebKit::NetworkRTCProvider::stopResolver):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (219513 => 219514)
--- trunk/Source/WebKit/ChangeLog 2017-07-14 18:35:00 UTC (rev 219513)
+++ trunk/Source/WebKit/ChangeLog 2017-07-14 18:55:40 UTC (rev 219514)
@@ -1,3 +1,24 @@
+2017-07-14 Chris Dumez <[email protected]>
+
+ Potential null-dereference under NetworkRTCProvider::resolvedName()
+ https://bugs.webkit.org/show_bug.cgi?id=174507
+ <rdar://problem/32597868>
+
+ Reviewed by Youenn Fablet.
+
+ NetworkRTCProvider::resolvedName() could do a null dereference of m_connection
+ because m_connection is nullified in NetworkRTCProvider::close() but resolvers
+ were only closed later on in the NetworkRTCProvider destructor.
+
+ To address the issue, we now stop DNS resolvers earlier, in NetworkRTCProvider::close().
+ Also fix unsafe modification of m_resolvers HashMap when iterating over it.
+
+ * NetworkProcess/webrtc/NetworkRTCProvider.cpp:
+ (WebKit::NetworkRTCProvider::~NetworkRTCProvider):
+ (WebKit::NetworkRTCProvider::close):
+ (WebKit::NetworkRTCProvider::Resolver::~Resolver):
+ (WebKit::NetworkRTCProvider::stopResolver):
+
2017-07-14 Youenn Fablet <[email protected]>
Report CoreAudioCaptureSource failure in case shared unit stops working properly
Modified: trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp (219513 => 219514)
--- trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp 2017-07-14 18:35:00 UTC (rev 219513)
+++ trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp 2017-07-14 18:55:40 UTC (rev 219514)
@@ -69,13 +69,14 @@
ASSERT(!m_connection);
ASSERT(!m_sockets.size());
ASSERT(!m_rtcMonitor.isStarted());
-
- for (auto identifier : m_resolvers.keys())
- stopResolver(identifier);
}
void NetworkRTCProvider::close()
{
+ // Cancel all pending DNS resolutions.
+ while (!m_resolvers.isEmpty())
+ stopResolver(*m_resolvers.keys().begin());
+
m_connection = nullptr;
m_rtcMonitor.stopUpdating();
@@ -184,8 +185,8 @@
void NetworkRTCProvider::stopResolver(uint64_t identifier)
{
- auto resolver = m_resolvers.take(identifier);
- if (resolver)
+ ASSERT(identifier);
+ if (auto resolver = m_resolvers.take(identifier))
CFHostCancelInfoResolution(resolver->host.get(), CFHostInfoType::kCFHostAddresses);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
