[extensions] Fix UAF in WebRequestProxyingURLLoaderFactory

This fixes a UAF problem introduced by https://crrev.com/c/2927311, where we were passing a raw pointer into a callback without ensuring that the object pointed by it would outlive the callback. Bug: 1207136,1221232 Change-Id: I2742edcba8d3a9a8707eb1ce4488b8fc0a3870c1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2971466 Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#894159}
marcosholgado · Jun 21, 2021 · c10a8a2 · c10a8a2
1 parent 35556ac
commit c10a8a2
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc b/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
@@ -43,6 +43,7 @@
 #include "services/network/public/cpp/features.h"
 #include "services/network/public/mojom/early_hints.mojom.h"
 #include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/parsed_headers.mojom-forward.h"
 #include "third_party/blink/public/common/loader/throttling_url_loader.h"
 #include "url/origin.h"
 
@@ -934,19 +935,18 @@ void WebRequestProxyingURLLoaderFactory::InProgressRequest::
   }
 
   proxied_client_receiver_.Pause();
-  auto assign = [](base::OnceClosure continuation,
-                   network::mojom::URLResponseHead* head,
-                   network::mojom::ParsedHeadersPtr parsed_headers) {
-    head->parsed_headers = std::move(parsed_headers);
-    std::move(continuation).Run();
-  };
   content::GetNetworkService()->ParseHeaders(
       request_.url, current_response_->headers,
       base::BindOnce(
-          assign,
-          base::BindOnce(&InProgressRequest::ContinueToResponseStarted,
-                         weak_factory_.GetWeakPtr()),
-          current_response_.get()));
+          &InProgressRequest::AssignParsedHeadersAndContinueToResponseStarted,
+          weak_factory_.GetWeakPtr()));
+}
+
+void WebRequestProxyingURLLoaderFactory::InProgressRequest::
+    AssignParsedHeadersAndContinueToResponseStarted(
+        network::mojom::ParsedHeadersPtr parsed_headers) {
+  current_response_->parsed_headers = std::move(parsed_headers);
+  ContinueToResponseStarted();
 }
 
 void WebRequestProxyingURLLoaderFactory::InProgressRequest::

diff --git a/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h b/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h
@@ -151,6 +151,8 @@ class WebRequestProxyingURLLoaderFactory
     void ContinueToStartRequestWithOk();
     void ContinueToHandleOverrideHeaders(int error_code);
     void OverwriteHeadersAndContinueToResponseStarted(int error_code);
+    void AssignParsedHeadersAndContinueToResponseStarted(
+        network::mojom::ParsedHeadersPtr parsed_headers);
     void ContinueToResponseStarted();
     void ContinueAuthRequest(const net::AuthChallengeInfo& auth_info,
                              WebRequestAPI::AuthRequestCallback callback,