github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: backport ffed0925f2 from webrtc. (#25853)

Browse Source
This commit is contained in:
Pedro Pontes
2020-10-13 03:53:22 +02:00
committed by GitHub
parent 29ca849382
commit 11847e78a8
3 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
patches/config.json
View File

@@ -5,5 +5,7 @@
"src/electron/patches/v8": "src/v8",
"src/electron/patches/node": "src/third_party/electron_node"
"src/electron/patches/node": "src/third_party/electron_node",
"src/electron/patches/usrsctp": "src/third_party/usrsctp/usrsctplib"
}

1
patches/usrsctp/.patches Normal file
View File

@@ -0,0 +1 @@
fix_a_use-after-free_bug_for_the_userland_stack.patch

49
patches/usrsctp/fix_a_use-after-free_bug_for_the_userland_stack.patch Normal file
View File

@@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pedro Pontes <pepontes@microsoft.com>
Date: Fri, 9 Oct 2020 18:03:51 +0200
Subject: Fix a use-after-free bug for the userland stack.
Backports https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019?branch=ffed0925f27d404173c1e3e750d818f432d2c019
diff --git a/usrsctplib/netinet/sctp_indata.c b/usrsctplib/netinet/sctp_indata.c
index 8b332355a5bfe5c25fa4fcc4afe4a740957a9075..38e1a9196f514bd480e5f4e5e34609ba0d910762 100755
--- a/usrsctplib/netinet/sctp_indata.c
+++ b/usrsctplib/netinet/sctp_indata.c
@@ -1694,6 +1694,7 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
int *break_flag, int last_chunk, uint8_t chk_type)
{
struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */
+ struct sctp_stream_in *strm;
uint32_t tsn, fsn, gap, mid;
struct mbuf *dmbuf;
int the_len;
@@ -2329,12 +2330,13 @@ finish_express_del:
/* All can be removed */
TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}
@@ -2349,12 +2351,13 @@ finish_express_del:
* control->sinfo_tsn > liste->tsn
*/
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}