Closed Bug 663893 Opened 10 years ago Closed 10 years ago

Unsafe uses of mListener in nsWebSocketHandler.cpp

Categories

(Core :: Networking: WebSockets, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla7
Tracking Status
firefox6 --- fixed

People

(Reporter: jdm, Assigned: jdm)

References

(Blocks 1 open bug)

Details

Crash Data

Attachments

(1 file)

Both of the following are not sheltered in |if (mListener)| blocks, unlike other similar constructs:

868 nsCOMPtr<nsIRunnable> event =
869   new CallOnServerClose(mListener, mContext);
870 NS_DispatchToMainThread(event);

1317 nsCOMPtr<nsIRunnable> event =
1318   new CallOnStop(mListener, mContext, reason);
1319 NS_DispatchToMainThread(event);
Blocks: 663769
Crash Signature: [@ mozilla::net::CallOnStop::Run]
Summary: Unsafe uses of mListener in nsWebSocket.cpp → Unsafe uses of mListener in nsWebSocketHandler.cpp
Attachment #538965 - Flags: review?(mcmanus)
Blocks: 663918
Comment on attachment 538965 [details] [diff] [review]
Avoid null dereferences in websocket handler.

Review of attachment 538965 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #538965 - Flags: review?(mcmanus) → review+
Keywords: checkin-needed
Assignee: nobody → josh
http://hg.mozilla.org/mozilla-central/rev/0715dd3bbfb8
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla7
The push broke the build, so I backed out all of its changesets.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Landed on inbound.
http://hg.mozilla.org/mozilla-central/rev/09428adfd4a8
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Comment on attachment 538965 [details] [diff] [review]
Avoid null dereferences in websocket handler.

This fixes a potential crasher if websockets are misused by a page.
Attachment #538965 - Flags: approval-mozilla-aurora?
(In reply to comment #7)
> Comment on attachment 538965 [details] [diff] [review] [review]
> Avoid null dereferences in websocket handler.
> 
> This fixes a potential crasher if websockets are misused by a page.

Can a page trigger this? I would think it would be limited to (broken) chrome code.. that's why I didn't a?
We were seeing this in Fennec nightlies on mibbit.com.
Simple fix that fixes a mibbit crash in Fennec. Baked on trunk for 3 days
Comment on attachment 538965 [details] [diff] [review]
Avoid null dereferences in websocket handler.

Approved for mozilla-aurora
Attachment #538965 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.