149864 – Possible null pointer dereference in WebSocket::connect

Bug 149864 - Possible null pointer dereference in WebSocket::connect

Summary: Possible null pointer dereference in WebSocket::connect

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	Other
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-10-06 17:41 PDT by Michael Catanzaro
Modified:	2023-05-12 08:00 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2015-10-06 17:41:48 PDT

I noticed this issue due to the fix for bug #149311.

Later down in WebSocket::connect() there is a call to document.frame()->loader().mixedContentChecker(). I don't see why that doesn't crash now, since it occurs if (is<Document>(*scriptExecutionContext()), the same condition as the null dereference of frame up above, which was problematic in bug #149311. That was "safe" when I added it because document.frame() was assumed to be nonnull up above, but clearly that was wrong and is now no longer the case.

I guess if it's not crashing (is it returning early on an error path?), then it might not be a problem, but it looks dangerous in light of this change... do we need to add a check to make sure frame is not null there? If so, do we need to rethink how to gain access to the mixed content checker, or is the content in a detached frame not going to be loaded? We need to be careful not to accidentally allow loading insecure content here.

Comment 1 Anne van Kesteren 2023-05-12 08:00:46 PDT

It looks like this has been refactored and frame is null-checked now.