Closed Bug 1121058 Opened 5 years ago Closed 5 years ago

uaf in assert http2session.cpp

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
32 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38

People

(Reporter: mcmanus, Assigned: mcmanus)

Details

(Keywords: csectype-uaf, Whiteboard: [spdy])

Attachments

(1 file)

h2 assert stream id before cleanup
1.38 KB, patch
u408661
: review+
Details | Diff | Splinter Review 
http2Session.cpp 2685

   CleanupStream(streamID, NS_OK, CANCEL_ERROR);
   MOZ_ASSERT(!mNeedsCleanup || mNeedsCleanup->StreamID() == streamID);

the assert derefs mNeedsCleanup, which can be use after free after cleanupstrem() is done. This is both uaf and makes the assert occasionally incorrect.

since this is a debug only assert I don't see a reason to backport or security flag it.
Attachment #8548326 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8548326 - Flags: review?(hurley) → review+
https://hg.mozilla.org/mozilla-central/rev/544315e9741c
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.