Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9db08685b5353a00949e2564fd1006b8491f815d
https://github.com/WebKit/WebKit/commit/9db08685b5353a00949e2564fd1006b8491f815d
Author: Youenn Fablet <[email protected]>
Date: 2024-08-15 (Thu, 15 Aug 2024)
Changed paths:
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.mm
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.h
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.mm
Log Message:
-----------
out-of-bounds memory access in rtc::SocketAddress::SetPort
rdar://126281456
Reviewed by Alex Christensen.
Creating two sockets with the same identifier will destroy the second one
without closing it properly.
We exit early in case we detect redundant identifiers, we do not use
MESSAGE_CHECK as we are processing the messages in a RTC thread.
We add some additional ASSERTS to ensure the model is right.
We fix the underlying weakness of not calling close in NetworkRTCUDPSocketCocoa
by making NetworkRTCUDPSocketCocoaConnections a threadsafe weak ptr and using
this weak pointer for setting the port.
Test that covers the change is in the attached patch to rdar://126281456.
It does not run on the beanch since the branch does not have all the test infra.
* LayoutTests/ipc/network-rtc-provider-crash-expected.txt: Added.
* LayoutTests/ipc/network-rtc-provider-crash.html: Added.
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.cpp:
(WebKit::NetworkRTCProvider::createUDPSocket):
(WebKit::NetworkRTCProvider::createClientTCPSocket):
(WebKit::NetworkRTCProvider::addSocket):
(WebKit::NetworkRTCProvider::doSocketTaskOnRTCNetworkThread): Deleted.
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCProvider.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCTCPSocketCocoa.mm:
(WebKit::NetworkRTCTCPSocketCocoa::~NetworkRTCTCPSocketCocoa):
(WebKit::NetworkRTCTCPSocketCocoa::close):
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.h:
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCUDPSocketCocoa.mm:
(WebKit::NetworkRTCUDPSocketCocoaConnections::NetworkRTCUDPSocketCocoaConnections):
(WebKit::NetworkRTCUDPSocketCocoaConnections::~NetworkRTCUDPSocketCocoaConnections):
(WebKit::NetworkRTCUDPSocketCocoa::setListeningPort): Deleted.
Originally-landed-as: 272448.1028@safari-7618-branch (5cec99ca58dc).
rdar://132958710
Canonical link: https://commits.webkit.org/282300@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
