RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 18:17:44 +00:00
Code Issues Activity Actions

RequestServer: Make pre-connection job refcounted

Browse source 
Fixes #22582

Previously, the job and the (cache of them) would lead to a UAF, as
after `.start()` was called on the job it'd be immediately destroyed.

Example of previous bug:

```
// Note due to the cache &jobA == &jobB
auto& jobA = Job::ensure("https://r.bing.com/");
auto& jobB = Job::ensure("https://r.bing.com/");
// Previously, the first .start() free'd the job
jobA.start();
// So the second .start() was a UAF
jobB.start();
```
This commit is contained in:
MacDue 2024-01-04 16:40:20 +00:00 committed by Ali Mohammad Pur
parent 7c9ca8baab
commit a1d669fe63
4 changed files with 48 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Userland/Services/RequestServer/HttpCommon.h
View file

@ -103,9 +103,9 @@ OwnPtr<Request> start_request(TBadgedProtocol&& protocol, ConnectionFromClient&
protocol_request->set_request_fd(pipe_result.value().read_fd);
if constexpr (IsSame<typename TBadgedProtocol::Type, HttpsProtocol>)
ConnectionCache::get_or_create_connection(ConnectionCache::g_tls_connection_cache, url, *job, proxy_data);
ConnectionCache::get_or_create_connection(ConnectionCache::g_tls_connection_cache, url, job, proxy_data);
else
ConnectionCache::get_or_create_connection(ConnectionCache::g_tcp_connection_cache, url, *job, proxy_data);
ConnectionCache::get_or_create_connection(ConnectionCache::g_tcp_connection_cache, url, job, proxy_data);
return protocol_request;
}