Closed Bug 1121058 Opened 5 years ago Closed 5 years ago

uaf in assert http2session.cpp

Categories

(Core :: Networking: HTTP, defect)

32 Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla38

People

(Reporter: mcmanus, Assigned: mcmanus)

Details

(Keywords: csectype-uaf, Whiteboard: [spdy])

Attachments

(1 file)

http2Session.cpp 2685

   CleanupStream(streamID, NS_OK, CANCEL_ERROR);
   MOZ_ASSERT(!mNeedsCleanup || mNeedsCleanup->StreamID() == streamID);

the assert derefs mNeedsCleanup, which can be use after free after cleanupstrem() is done. This is both uaf and makes the assert occasionally incorrect.

since this is a debug only assert I don't see a reason to backport or security flag it.
Attachment #8548326 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8548326 - Flags: review?(hurley) → review+
https://hg.mozilla.org/mozilla-central/rev/544315e9741c
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.