Commit d4823569 authored by Robbie McElrath's avatar Robbie McElrath Committed by Commit Bot

Fix URLLoaderFactory use-after-free in NetworkPortalDetectorImpl

NetworkPortalDetectorImpl uses a raw pointer to the
SystemNetworkContextManager's URLLoaderFactory, which will be invalid
if mojo pipe runs into any issues. This CL makes it use a
SahredURLLoaderFactory instead, which will handle failures
automatically.

Bug: 936625
Change-Id: I2ea71ef6cc46440f66349729e16cc2558ef145b1
Reviewed-on: https://chromium-review.googlesource.com/c/1495748Reviewed-by: default avatarJohn Abd-El-Malek <jam@chromium.org>
Reviewed-by: default avatarAlexander Alekseev <alemate@chromium.org>
Commit-Queue: Robbie McElrath <rmcelrath@chromium.org>
Cr-Commit-Position: refs/heads/master@{#636645}
parent 0da11cae
...@@ -224,9 +224,7 @@ void InitializeNetworkPortalDetector() { ...@@ -224,9 +224,7 @@ void InitializeNetworkPortalDetector() {
new NetworkPortalDetectorStub()); new NetworkPortalDetectorStub());
} else { } else {
network_portal_detector::SetNetworkPortalDetector( network_portal_detector::SetNetworkPortalDetector(
new NetworkPortalDetectorImpl( new NetworkPortalDetectorImpl());
g_browser_process->system_network_context_manager()
->GetURLLoaderFactory()));
} }
} }
......
...@@ -13,7 +13,9 @@ ...@@ -13,7 +13,9 @@
#include "base/metrics/histogram_macros.h" #include "base/metrics/histogram_macros.h"
#include "base/single_thread_task_runner.h" #include "base/single_thread_task_runner.h"
#include "base/threading/thread_task_runner_handle.h" #include "base/threading/thread_task_runner_handle.h"
#include "chrome/browser/browser_process.h"
#include "chrome/browser/chrome_notification_types.h" #include "chrome/browser/chrome_notification_types.h"
#include "chrome/browser/net/system_network_context_manager.h"
#include "chromeos/constants/chromeos_switches.h" #include "chromeos/constants/chromeos_switches.h"
#include "chromeos/dbus/dbus_thread_manager.h" #include "chromeos/dbus/dbus_thread_manager.h"
#include "chromeos/dbus/shill_profile_client.h" #include "chromeos/dbus/shill_profile_client.h"
...@@ -24,6 +26,7 @@ ...@@ -24,6 +26,7 @@
#include "content/public/browser/notification_service.h" #include "content/public/browser/notification_service.h"
#include "net/http/http_status_code.h" #include "net/http/http_status_code.h"
#include "net/traffic_annotation/network_traffic_annotation.h" #include "net/traffic_annotation/network_traffic_annotation.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
#include "third_party/cros_system_api/dbus/service_constants.h" #include "third_party/cros_system_api/dbus/service_constants.h"
using captive_portal::CaptivePortalDetector; using captive_portal::CaptivePortalDetector;
...@@ -203,12 +206,21 @@ constexpr base::TimeDelta ...@@ -203,12 +206,21 @@ constexpr base::TimeDelta
NetworkPortalDetectorImpl::kDelaySinceShillPortalForUMA; NetworkPortalDetectorImpl::kDelaySinceShillPortalForUMA;
NetworkPortalDetectorImpl::NetworkPortalDetectorImpl( NetworkPortalDetectorImpl::NetworkPortalDetectorImpl(
network::mojom::URLLoaderFactory* loader_factory) network::mojom::URLLoaderFactory* loader_factory_for_testing)
: strategy_(PortalDetectorStrategy::CreateById( : strategy_(PortalDetectorStrategy::CreateById(
PortalDetectorStrategy::STRATEGY_ID_LOGIN_SCREEN, PortalDetectorStrategy::STRATEGY_ID_LOGIN_SCREEN,
this)), this)),
weak_factory_(this) { weak_factory_(this) {
NET_LOG(EVENT) << "NetworkPortalDetectorImpl::NetworkPortalDetectorImpl()"; NET_LOG(EVENT) << "NetworkPortalDetectorImpl::NetworkPortalDetectorImpl()";
network::mojom::URLLoaderFactory* loader_factory;
if (loader_factory_for_testing) {
loader_factory = loader_factory_for_testing;
} else {
shared_url_loader_factory_ =
g_browser_process->system_network_context_manager()
->GetSharedURLLoaderFactory();
loader_factory = shared_url_loader_factory_.get();
}
captive_portal_detector_.reset(new CaptivePortalDetector(loader_factory)); captive_portal_detector_.reset(new CaptivePortalDetector(loader_factory));
portal_test_url_ = GURL(CaptivePortalDetector::kDefaultURL); portal_test_url_ = GURL(CaptivePortalDetector::kDefaultURL);
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#include "base/compiler_specific.h" #include "base/compiler_specific.h"
#include "base/macros.h" #include "base/macros.h"
#include "base/memory/ref_counted.h" #include "base/memory/ref_counted.h"
#include "base/memory/scoped_refptr.h"
#include "base/memory/weak_ptr.h" #include "base/memory/weak_ptr.h"
#include "base/observer_list.h" #include "base/observer_list.h"
#include "base/sequence_checker.h" #include "base/sequence_checker.h"
...@@ -34,10 +35,11 @@ class Value; ...@@ -34,10 +35,11 @@ class Value;
} }
namespace network { namespace network {
class SharedURLLoaderFactory;
namespace mojom { namespace mojom {
class URLLoaderFactory; class URLLoaderFactory;
} }
} } // namespace network
namespace chromeos { namespace chromeos {
...@@ -57,7 +59,7 @@ class NetworkPortalDetectorImpl : public NetworkPortalDetector, ...@@ -57,7 +59,7 @@ class NetworkPortalDetectorImpl : public NetworkPortalDetector,
base::TimeDelta::FromSeconds(60); base::TimeDelta::FromSeconds(60);
explicit NetworkPortalDetectorImpl( explicit NetworkPortalDetectorImpl(
network::mojom::URLLoaderFactory* loader_factory); network::mojom::URLLoaderFactory* loader_factory_for_testing = nullptr);
~NetworkPortalDetectorImpl() override; ~NetworkPortalDetectorImpl() override;
// Set the URL to be tested for portal state. // Set the URL to be tested for portal state.
...@@ -225,6 +227,9 @@ class NetworkPortalDetectorImpl : public NetworkPortalDetector, ...@@ -225,6 +227,9 @@ class NetworkPortalDetectorImpl : public NetworkPortalDetector,
base::CancelableClosure attempt_task_; base::CancelableClosure attempt_task_;
base::CancelableClosure attempt_timeout_; base::CancelableClosure attempt_timeout_;
// Reference to a SharedURLLoaderFactory used to detect portals.
scoped_refptr<network::SharedURLLoaderFactory> shared_url_loader_factory_;
// URL that returns a 204 response code when connected to the Internet. Used // URL that returns a 204 response code when connected to the Internet. Used
// by tests. // by tests.
GURL portal_test_url_; GURL portal_test_url_;
......
...@@ -315,9 +315,7 @@ void GaiaScreenHandler::MaybePreloadAuthExtension() { ...@@ -315,9 +315,7 @@ void GaiaScreenHandler::MaybePreloadAuthExtension() {
VLOG(1) << "MaybePreloadAuthExtension"; VLOG(1) << "MaybePreloadAuthExtension";
if (!network_portal_detector_) { if (!network_portal_detector_) {
NetworkPortalDetectorImpl* detector = new NetworkPortalDetectorImpl( NetworkPortalDetectorImpl* detector = new NetworkPortalDetectorImpl();
g_browser_process->system_network_context_manager()
->GetURLLoaderFactory());
detector->set_portal_test_url(GURL(kRestrictiveProxyURL)); detector->set_portal_test_url(GURL(kRestrictiveProxyURL));
network_portal_detector_.reset(detector); network_portal_detector_.reset(detector);
network_portal_detector_->AddObserver(this); network_portal_detector_->AddObserver(this);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment