summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbnc <bnc@chromium.org>2015-01-15 13:02:26 -0800
committerCommit bot <commit-bot@chromium.org>2015-01-15 21:04:30 +0000
commit67da3deddd2d80b66310307620d7891a440ae2ce (patch)
treea7dfe8e0a915a8b6763ab7bb2d8c15ee3864a712
parentfd8cfb7933de834e1572ecbef9ad6974398e3fa2 (diff)
downloadchromium_src-67da3deddd2d80b66310307620d7891a440ae2ce.zip
chromium_src-67da3deddd2d80b66310307620d7891a440ae2ce.tar.gz
chromium_src-67da3deddd2d80b66310307620d7891a440ae2ce.tar.bz2
Fix dangling pointer in OpenSSL NPN fallback.
A copy assignment to |std::string proto| copies data, then |*out| takes its address, and |proto| goes out of scope, freeing |**out|. This CL replaces that with a |const char*|, so that |*out| would point to the literal |char[]| defined in NextProtoToString. BUG=448428 Review URL: https://codereview.chromium.org/849243003 Cr-Commit-Position: refs/heads/master@{#311732}
Diffstat
-rw-r--r--net/socket/ssl_client_socket_openssl.cc8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index a78a7cf..504b702 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -11,6 +11,7 @@
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include <string.h>
#include "base/bind.h"
#include "base/callback_helpers.h"
@@ -1900,9 +1901,10 @@ int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out,
// If we didn't find a protocol, we select the first one from our list.
if (npn_status_ == kNextProtoNoOverlap) {
- const std::string proto = NextProtoToString(ssl_config_.next_protos[0]);
- *out = reinterpret_cast<uint8*>(const_cast<char*>(proto.data()));
- *outlen = proto.size();
+ // NextProtoToString returns a pointer to a static string.
+ const char* proto = NextProtoToString(ssl_config_.next_protos[0]);
+ *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto));
+ *outlen = strlen(proto);
}
npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
generated by cgit v1.1 at 2025-05-20 17:28:06 +0000