Closed
Bug 1121058
Opened 7 years ago
Closed 7 years ago
uaf in assert http2session.cpp
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: mcmanus, Assigned: mcmanus)
Details
(Keywords: csectype-uaf, Whiteboard: [spdy])
Attachments
(1 file)
1.38 KB,
patch
|
u408661
:
review+
|
Details | Diff | Splinter Review |
http2Session.cpp 2685 CleanupStream(streamID, NS_OK, CANCEL_ERROR); MOZ_ASSERT(!mNeedsCleanup || mNeedsCleanup->StreamID() == streamID); the assert derefs mNeedsCleanup, which can be use after free after cleanupstrem() is done. This is both uaf and makes the assert occasionally incorrect. since this is a debug only assert I don't see a reason to backport or security flag it.
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8548326 -
Flags: review?(hurley)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8548326 -
Flags: review?(hurley) → review+
Assignee | ||
Comment 2•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/544315e9741c
https://hg.mozilla.org/mozilla-central/rev/544315e9741c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Updated•5 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•