Regression(r223431): Crash under didReceiveChallenge in NetworkSessionCocoa
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Feb 2018 19:53:09 +0000 (19:53 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Feb 2018 19:53:09 +0000 (19:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=183134
<rdar://problem/36339049>

Reviewed by Alex Christensen.

Like other delegates functions in this file, it is possible for didReceiveChallenge to get called
after _session has been nulled out. Other delegate functions already had early returns when
_session is null. However, such early return was missing in didReceiveChallenge.

This patch ends the early return to didReceiveChallenge so that we do not end up calling
_session->downloadID(taskIdentifier) on a null _session.

* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229031 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm

index 0b67fcc..402e8cd 100644 (file)
@@ -1,3 +1,21 @@
+2018-02-26  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r223431): Crash under didReceiveChallenge in NetworkSessionCocoa
+        https://bugs.webkit.org/show_bug.cgi?id=183134
+        <rdar://problem/36339049>
+
+        Reviewed by Alex Christensen.
+
+        Like other delegates functions in this file, it is possible for didReceiveChallenge to get called
+        after _session has been nulled out. Other delegate functions already had early returns when
+        _session is null. However, such early return was missing in didReceiveChallenge.
+
+        This patch ends the early return to didReceiveChallenge so that we do not end up calling
+        _session->downloadID(taskIdentifier) on a null _session.
+
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):
+
 2018-02-26  Youenn Fablet  <youenn@apple.com>
 
         MessagePort is not always destroyed in the right thread
index 48218b8..3f76093 100644 (file)
@@ -289,6 +289,11 @@ static NSURLRequest* updateIgnoreStrictTransportSecuritySettingIfNecessary(NSURL
 
 - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
 {
+    if (!_session) {
+        completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
+        return;
+    }
+
     auto taskIdentifier = task.taskIdentifier;
     LOG(NetworkSession, "%llu didReceiveChallenge", taskIdentifier);
     
@@ -342,7 +347,7 @@ static NSURLRequest* updateIgnoreStrictTransportSecuritySettingIfNecessary(NSURL
         };
         networkDataTask->didReceiveChallenge(challenge, WTFMove(challengeCompletionHandler));
     } else {
-        auto downloadID = _session->downloadID(task.taskIdentifier);
+        auto downloadID = _session->downloadID(taskIdentifier);
         if (downloadID.downloadID()) {
             if (auto* download = WebKit::NetworkProcess::singleton().downloadManager().download(downloadID)) {
                 // Received an authentication challenge for a download being resumed.