diff options
| author | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-01-20 21:27:17 +0000 |
|---|---|---|
| committer | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-01-20 21:27:17 +0000 |
| commit | d05c7872fad600928cf93ea53549814854d90269 (patch) | |
| tree | fc1e866b1b6116ce855847004c613f8cdc84f53b /net | |
| parent | ae1276fb172b3b884d4b3b7b61210ca5016ab981 (diff) | |
| download | chromium_src-d05c7872fad600928cf93ea53549814854d90269.zip chromium_src-d05c7872fad600928cf93ea53549814854d90269.tar.gz chromium_src-d05c7872fad600928cf93ea53549814854d90269.tar.bz2 | |
Fix a use-after free in socket pool which can happen after reaching the maxium number of sockets.
BUG=109876
Review URL: http://codereview.chromium.org/9226011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@118506 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket/client_socket_pool_base.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/socket/client_socket_pool_base.cc b/net/socket/client_socket_pool_base.cc index 113985a..6b2a75d 100644 --- a/net/socket/client_socket_pool_base.cc +++ b/net/socket/client_socket_pool_base.cc @@ -386,6 +386,11 @@ int ClientSocketPoolBaseHelper::RequestSocketInternal( return ERR_IO_PENDING; } } while (ReachedMaxSocketsLimit()); + + // It is possible that CloseOneIdleConnectionInLayeredPool() has deleted + // our Group (see http://crbug.com/109876), so look it up again + // to be safe. + group = GetOrCreateGroup(group_name); } } |