183686 – [Curl] Fix crash on websocket with bad handshake message.

Bug 183686 - [Curl] Fix crash on websocket with bad handshake message.

Summary: [Curl] Fix crash on websocket with bad handshake message.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Basuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-03-15 17:22 PDT by Basuke Suzuki
Modified:	2018-03-16 13:57 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
PATCH (2.47 KB, patch) 2018-03-15 17:38 PDT, Basuke Suzuki	youennf: review+	Details \| Formatted Diff \| Diff
FIX (2.48 KB, patch) 2018-03-16 10:11 PDT, Basuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Basuke Suzuki 2018-03-15 17:22:15 PDT

It was found by this existing test LayoutTests\http\tests\websocket\tests\hybi\bad-handshake-crash.html.

Comment 1 Basuke Suzuki 2018-03-15 17:38:52 PDT

Created attachment 335913 [details]
PATCH

Comment 2 youenn fablet 2018-03-15 22:10:43 PDT

Comment on attachment 335913 [details]
PATCH

View in context: https://bugs.webkit.org/attachment.cgi?id=335913&action=review

> Source/WebCore/platform/network/curl/SocketStreamHandleImplCurl.cpp:94
> +    m_closed = true;

In case platformClose() needs to be called elsewhere in the future, we could rewrite it as:
if (m_closed)
     return;
m_closed = true;
...

Comment 3 Basuke Suzuki 2018-03-16 08:23:51 PDT

(In reply to youenn fablet from comment #2)
> Comment on attachment 335913 [details]
> PATCH
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=335913&action=review
> 
> > Source/WebCore/platform/network/curl/SocketStreamHandleImplCurl.cpp:94
> > +    m_closed = true;
> 
> In case platformClose() needs to be called elsewhere in the future, we could
> rewrite it as:
> if (m_closed)
>      return;
> m_closed = true;
> ...

Right. There're many other crashes to be fixed following this bug. Such kind of protection may be required. Thanks for pointing out.

Comment 4 Basuke Suzuki 2018-03-16 10:11:03 PDT

Created attachment 335948 [details]
FIX

Thanks for r+ @youenn

Comment 5 WebKit Commit Bot 2018-03-16 13:56:06 PDT

Comment on attachment 335948 [details]
FIX

Clearing flags on attachment: 335948

Committed r229681: <https://trac.webkit.org/changeset/229681>

Comment 6 WebKit Commit Bot 2018-03-16 13:56:07 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 Radar WebKit Bug Importer 2018-03-16 13:57:20 PDT

<rdar://problem/38557767>