Closed Bug 1301757 Opened 3 years ago Closed 3 years ago

Null deref crash in mozilla::net::WebSocketChannelParent::RecvAsyncOpen

Categories

(Core :: Networking, defect, critical)

Unspecified
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1301091
Tracking Status
firefox51 --- fixed

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash, regression)

This bug was filed from the Socorro interface and is 
report bp-4fb33c7e-082e-40a5-b7f4-ca49d2160907.
=============================================================

There are 11 of these crashes in the Sept 7 Nightly, making it tied for the top Linux crash. The crashes are almost all from a single installation, but looking at the code there is a real problem here.

The crash is a null deref on the last line:
  rv = LoadInfoArgsToLoadInfo(aLoadInfoArgs, getter_AddRefs(loadInfo));
  if (NS_FAILED(rv)) {
    goto fail;
  }
  rv = loadInfo->GetOriginAttributes(&attrs);

However, if you look at the definition of LoadInfoArgsToLoadInfo in ipc/glue/BackgroundUtils.cpp, if |aOptionalLoadInfoArgs.type() == OptionalLoadInfoArgs::Tvoid_t| then it can return null on success.

This appears to be a regression from bug 1291652. Other places that call this method do the same thing, but maybe they are assured to not hit that case?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1301091
Crash Signature: [@ mozilla::net::WebSocketChannelParent::RecvAsyncOpen]
Mark 51 fixed as bug 1301091 is fixed.
You need to log in before you can comment on or make changes to this bug.