angler-fishThe Vulnerability History Project

Reland r59910 - Add HttpResponseBodyDrainer. Use it for unfinished HttpStreams.&quot

      There's one simple fix.  wtc had asked me to increment the buffer so we keep reading into new memory while draining the body.  So I added |total_read_| to |read_buf_|.  The problem is |read_buf_| is an IOBuffer*, not a char*, so I'm causing us to read into raw heap memory.  Crashes ensue.  My unit tests didn't catch it because they never actually read data.  I've fixed that by doing a memset().  I've fixed the problem by not bothering to increment the read index, since that would require throwing away IOBuffers or some intrusive modifications to IOBuffer.

BUG=54277
TEST=HttpResponseBodyDrainerTest.*
Also see the manual testing instructions in r59910.

Review URL: http://codereview.chromium.org/3449014

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60075 0039d316-1c4b-4281-b951-d872f2087c98
by Guy the Water Buffalo 2010-09-21 18:08:50 UTC
commit 0b0bf036e2c2722b5d31162ad620b450763fa352
Chromium VCC CVE-2011-1465
net/base/net_error_list.h
-3
net/http/http_network_transaction.cc
+20 -35
net/http/http_network_transaction_unittest.cc
+79 -130
net/http/http_response_body_drainer.cc
-119
net/http/http_response_body_drainer.h
-66
net/http/http_response_body_drainer_unittest.cc
-216
net/http/http_util.cc
-10
net/http/http_util.h
-7
net/net.gyp
-3
net/spdy/spdy_network_transaction_unittest.cc
+4 -1
expand_less