NetworkStorageManager.GetAllDatabaseNamesAndVersions crashes with invalid requestIdentifier

Pedro Varangot · rniwa · commit 5644d5bcff23 · 2025-04-17T06:55:24.000-07:00
rdar://149291737 https://bugs.webkit.org/show_bug.cgi?id=291649 Reviewed by Sihui Liu. This fixes the bug by checking if the requestIdentifier is valid * LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier-expected.txt: Added. * LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier.html: Added. * Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp: (WebKit::NetworkStorageManager::getAllDatabaseNamesAndVersions): Canonical link: https://commits.webkit.org/293790@main
diff --git a/LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier-expected.txt b/LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier-expected.txt
@@ -0,0 +1,3 @@
+This test passes if webkit does not crash
+
+PASS
diff --git a/LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier.html b/LayoutTests/ipc/getAllDatabaseNamesAndVersions-no-resource-identifier.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html><!-- webkit-test-runner [ IPCTestingAPIEnabled=true ] -->
+<script>
+  window.testRunner?.waitUntilDone();
+    window.testRunner?.dumpAsText();
+
+    function test() {
+        var pass = document.getElementById('pass');
+        if (window.IPC) {
+            import('./coreipc.js').then(({
+                CoreIPC
+            }) => {
+                CoreIPC.Networking.NetworkStorageManager.GetAllDatabaseNamesAndVersions(0, {
+                    requestIdentifier: {
+                        m_idbConnectionIdentifier: {},
+                        m_resourceNumber: {
+                            optionalValue: 1234
+                        }
+                    },
+                    origin: {
+                        topOrigin: {
+                            data: {
+                                variantType: 'WebCore::SecurityOriginData::Tuple',
+                                variant: {
+                                    protocol: '',
+                                    host: '',
+                                    port: {}
+                                }
+                            }
+                        },
+                        clientOrigin: {
+                            data: {
+                                variantType: 'WebCore::SecurityOriginData::Tuple',
+                                variant: {
+                                    protocol: '',
+                                    host: '',
+                                    port: {}
+                                }
+                            }
+                        }
+                    }
+                });
+                pass.innerText = "PASS";
+                window.testRunner?.notifyDone();
+            });
+        } else {
+            pass.innerText = "PASS";
+            window.testRunner?.notifyDone();
+        }
+    }
+</script>
+<body onload="test()">
+  <p>This test passes if webkit does not crash</p>
+  <div id="pass"></div>
+</body>
diff --git a/Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp b/Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
@@ -1935,6 +1935,7 @@ void NetworkStorageManager::iterateCursor(const WebCore::IDBRequestData& request
 
 void NetworkStorageManager::getAllDatabaseNamesAndVersions(IPC::Connection& connection, const WebCore::IDBResourceIdentifier& requestIdentifier, const WebCore::ClientOrigin& origin)
 {
+    MESSAGE_CHECK(requestIdentifier.connectionIdentifier(), connection);
     Ref connectionToClient = m_idbStorageRegistry->ensureConnectionToClient(connection.uniqueID(), *requestIdentifier.connectionIdentifier());
     auto result = checkedOriginStorageManager(origin)->idbStorageManager(*m_idbStorageRegistry).getAllDatabaseNamesAndVersions();
     connectionToClient->didGetAllDatabaseNamesAndVersions(requestIdentifier, WTFMove(result));

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+This test passes if webkit does not crash`
	`2`	`+`
	`3`	`+PASS`
Original file line number	Diff line number	Diff line change
`@@ -1935,6 +1935,7 @@ void NetworkStorageManager::iterateCursor(const WebCore::IDBRequestData& request`
`1935`	`1935`
`1936`	`1936`	`void NetworkStorageManager::getAllDatabaseNamesAndVersions(IPC::Connection& connection, const WebCore::IDBResourceIdentifier& requestIdentifier, const WebCore::ClientOrigin& origin)`
`1937`	`1937`	`{`
	`1938`	`+ MESSAGE_CHECK(requestIdentifier.connectionIdentifier(), connection);`
`1938`	`1939`	`Ref connectionToClient = m_idbStorageRegistry->ensureConnectionToClient(connection.uniqueID(), *requestIdentifier.connectionIdentifier());`
`1939`	`1940`	`auto result = checkedOriginStorageManager(origin)->idbStorageManager(*m_idbStorageRegistry).getAllDatabaseNamesAndVersions();`
`1940`	`1941`	`connectionToClient->didGetAllDatabaseNamesAndVersions(requestIdentifier, WTFMove(result));`