RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 15:37:46 +00:00
Code Issues Activity Actions

RequestServer: Make pre-connection job refcounted

Browse source 
Fixes #22582

Previously, the job and the (cache of them) would lead to a UAF, as
after `.start()` was called on the job it'd be immediately destroyed.

Example of previous bug:

```
// Note due to the cache &jobA == &jobB
auto& jobA = Job::ensure("https://r.bing.com/");
auto& jobB = Job::ensure("https://r.bing.com/");
// Previously, the first .start() free'd the job
jobA.start();
// So the second .start() was a UAF
jobB.start();
```
This commit is contained in:
MacDue 2024-01-04 16:40:20 +00:00 committed by Ali Mohammad Pur
parent 7c9ca8baab
commit a1d669fe63
4 changed files with 48 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Services/RequestServer/GeminiProtocol.cpp
View file

@ -31,7 +31,7 @@ OwnPtr<Request> GeminiProtocol::start_request(ConnectionFromClient& client, Byte
auto protocol_request = GeminiRequest::create_with_job({}, client, *job, move(output_stream));
protocol_request->set_request_fd(pipe_result.value().read_fd);
ConnectionCache::get_or_create_connection(ConnectionCache::g_tls_connection_cache, url, *job, proxy_data);
ConnectionCache::get_or_create_connection(ConnectionCache::g_tls_connection_cache, url, job, proxy_data);
return protocol_request;
}