From 5dceba29a47f5555a101ed1d30a585aac17f5551 Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Tue, 8 Feb 2022 20:28:13 +0330 Subject: [PATCH] RequestServer: Avoid Vector OOB access in ConnectionCache `it.is_end()` could be updated to return false for a previously-invalid iterator after we append a new socket, copy its value out to a local variable to not hit this behaviour. --- Userland/Services/RequestServer/ConnectionCache.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Userland/Services/RequestServer/ConnectionCache.h b/Userland/Services/RequestServer/ConnectionCache.h index 8a52c4e2fb..61c3ab4c22 100644 --- a/Userland/Services/RequestServer/ConnectionCache.h +++ b/Userland/Services/RequestServer/ConnectionCache.h @@ -149,7 +149,8 @@ decltype(auto) get_or_create_connection(auto& cache, URL const& url, auto& job) using ReturnType = decltype(&sockets_for_url[0]); auto it = sockets_for_url.find_if([](auto& connection) { return connection->request_queue.is_empty(); }); auto did_add_new_connection = false; - if (it.is_end() && sockets_for_url.size() < ConnectionCache::MaxConcurrentConnectionsPerURL) { + auto failed_to_find_a_socket = it.is_end(); + if (failed_to_find_a_socket && sockets_for_url.size() < ConnectionCache::MaxConcurrentConnectionsPerURL) { using ConnectionType = RemoveCVReferencevalue->at(0))>; auto connection_result = ConnectionType::SocketType::connect(url.host(), url.port_or_default()); if (connection_result.is_error()) { @@ -174,7 +175,7 @@ decltype(auto) get_or_create_connection(auto& cache, URL const& url, auto& job) did_add_new_connection = true; } size_t index; - if (it.is_end()) { + if (failed_to_find_a_socket) { if (did_add_new_connection) { index = sockets_for_url.size() - 1; } else {