Fix UAF in cast_channel::MessageFramer.

This was introduced in r585571. The cause is that MojoDataPump could be hanging on to an unretained callback to CastTransportImpl::OnReadResult. CastSocketImpl::CloseInternal() would reset CastTransportImpl but not MojoDataPump. Depending on the timing of when the data comes back, a UAF could happen. Bug: 878021 Change-Id: I1edf4d2bfdc6ed7c47344f715a7323ed6954cbf7 Reviewed-on: https://chromium-review.googlesource.com/1195747Reviewed-by: Derek Cheng <imcheng@chromium.org> Commit-Queue: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#587245}

Fix UAF in cast_channel::MessageFramer.
This was introduced in r585571. The cause is that MojoDataPump could be hanging on to an unretained callback to CastTransportImpl::OnReadResult. CastSocketImpl::CloseInternal() would reset CastTransportImpl but not MojoDataPump. Depending on the timing of when the data comes back, a UAF could happen. Bug: 878021 Change-Id: I1edf4d2bfdc6ed7c47344f715a7323ed6954cbf7 Reviewed-on: https://chromium-review.googlesource.com/1195747Reviewed-by: Derek Cheng <imcheng@chromium.org> Commit-Queue: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#587245}
eb223212 · John Abd-El-Malek · Commit Bot · fda94f7f · eb223212
Commit eb223212 authored Aug 29, 2018 by John Abd-El-Malek Committed by Commit Bot Aug 29, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

components/cast_channel/cast_socket.cc components/cast_channel/cast_socket.cc +1 -0

No files found.
--- a/components/cast_channel/cast_socket.cc
+++ b/components/cast_channel/cast_socket.cc
@@ -613,6 +613,7 @@ void CastSocketImpl::CloseInternal() {
                          << ReadyStateToString(ready_state_);
  observers_.Clear();
  delegate_.reset();
+  mojo_data_pump_.reset();
  transport_.reset();
  tcp_socket_.reset();
  socket_.reset();