Closed Bug 1227931 Opened 4 years ago Closed 4 years ago

HTTP2 stream field mReceivedData uninitialized in constructor

Categories

(Core :: Networking: HTTP, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: bagder, Assigned: bagder)

Details

Attachments

(1 file)

The mReceivedData field in the Http2Stream class is not initialized in the constructor, which can lead to access of uninitialized memory. sewardj reported over IRC with the following valgrind dump.


    Thread 5 Socket Thread:
    Conditional jump or move depends on uninitialised value(s)
       at 0x6DFF072: mozilla::net::Http2Session::ShutdownEnumerator(mozilla::net::nsAHttpTransaction*, nsAutoPtr<mozilla::net::Http2Stream>&, void*) (netwerk/protocol/http/Http2Session.cpp:155)
       by 0x6DFC6A2: Enumerate (ff-Og-linux64/netwerk/protocol/http/../../../dist/include/nsBaseHashtable.h:216)
       by 0x6DFC6A2: mozilla::net::Http2Session::Close(nsresult) (netwerk/protocol/http/Http2Session.cpp:3027)
       by 0x6E30649: mozilla::net::nsHttpConnection::CloseTransaction(mozilla::net::nsAHttpTransaction*, nsresult) (netwerk/protocol/http/nsHttpConnection.cpp:1497)
       by 0x6E58984: mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) (netwerk/protocol/http/nsHttpConnection.cpp:2079)
       by 0x6D18CD6: nsSocketInputStream::OnSocketReady(nsresult) (netwerk/base/nsSocketTransport2.cpp:288)
       by 0x6D1B95A: nsSocketTransport::OnSocketReady(PRFileDesc*, short) (netwerk/base/nsSocketTransport2.cpp:1885)
       by 0x6D1ED1A: nsSocketTransportService::DoPollIteration(bool, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) (netwerk/base/nsSocketTransportService2.cpp:1083)
       by 0x6D298E4: nsSocketTransportService::Run() (netwerk/base/nsSocketTransportService2.cpp:865)
       by 0x6C7DDB1: nsThread::ProcessNextEvent(bool, bool*) (xpcom/threads/nsThread.cpp:964)
       by 0x6CA6705: NS_ProcessNextEvent(nsIThread*, bool) (xpcom/glue/nsThreadUtils.cpp:297)
       by 0x6F5DB80: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (ipc/glue/MessagePump.cpp:355)
       by 0x6F112B8: MessageLoop::RunInternal() (ipc/chromium/src/base/message_loop.cc:234)
After the fact, I've also found this issue reported in the coverity scan as "CID 1225564", which mostly confirms this finding.
Attachment #8691914 - Flags: review?(hurley) → review+
I don't have a try-run but this is just a single-line change of a constructor...
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8dd80c8e6994
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.