Cherry-pick 275369@main (eaa2c46). https://bugs.webkit.org/show_bug.c…

…gi?id=270006 ASSERT_WITH_SECURITY_IMPLICATION reached on Messages::NetworkProcess in NetworkConnectionToWebProcess::didReceiveMessage() https://bugs.webkit.org/show_bug.cgi?id=270006 rdar://123087621 Reviewed by Alex Christensen and Chris Dumez. Replace assertions checking that `decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName()` with MESSAGE_CHECK. Network messages from the web content process are safely ignored elsewhere already so the assert is not needed * Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp: (WebKit::NetworkConnectionToWebProcess::didReceiveMessage): (WebKit::NetworkConnectionToWebProcess::didReceiveSyncMessage): Canonical link: https://commits.webkit.org/275369@main Canonical link: https://commits.webkit.org/274313.187@webkitglib/2.44
WebKit · May 1, 2024 · fdf2bee · fdf2bee
1 parent 5f38289
commit fdf2bee
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/LayoutTests/ipc/send-ignored-network-message-expected.txt b/LayoutTests/ipc/send-ignored-network-message-expected.txt
@@ -0,0 +1 @@
+This test should not crash
diff --git a/LayoutTests/ipc/send-ignored-network-message.html b/LayoutTests/ipc/send-ignored-network-message.html
@@ -0,0 +1,10 @@
+<script>
+    if (window.testRunner)
+            testRunner.dumpAsText();
+function fuzz() {
+    if (window.IPC)
+        IPC.sendMessage('Networking',0,IPC.messages.NetworkProcess_ClearBundleIdentifier.name,[]);
+}
+</script>
+<body onload='fuzz()'></body>
+<div>This test should not crash</div>
diff --git a/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp b/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
@@ -120,6 +120,7 @@
 
 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, &this->connection())
 #define MESSAGE_CHECK_COMPLETION(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, &this->connection(), completion)
+#define MESSAGE_CHECK_WITH_RETURN_VALUE(assertion, returnValue) MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, &this->connection(), returnValue)
 
 namespace WebKit {
 using namespace WebCore;
@@ -230,7 +231,7 @@ void NetworkConnectionToWebProcess::didReceiveMessage(IPC::Connection& connectio
     ASSERT_WITH_SECURITY_IMPLICATION(RunLoop::isMain());
 
     // For security reasons, Messages::NetworkProcess IPC is only supposed to come from the UIProcess.
-    ASSERT_WITH_SECURITY_IMPLICATION(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName());
+    MESSAGE_CHECK(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName());
 
     if (decoder.messageReceiverName() == Messages::NetworkConnectionToWebProcess::messageReceiverName()) {
         didReceiveNetworkConnectionToWebProcessMessage(connection, decoder);
@@ -382,7 +383,7 @@ void NetworkConnectionToWebProcess::unregisterToRTCDataChannelProxy()
 bool NetworkConnectionToWebProcess::didReceiveSyncMessage(IPC::Connection& connection, IPC::Decoder& decoder, UniqueRef<IPC::Encoder>& reply)
 {
     // For security reasons, Messages::NetworkProcess IPC is only supposed to come from the UIProcess.
-    ASSERT(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName());
+    MESSAGE_CHECK_WITH_RETURN_VALUE(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName(), false);
 
     if (decoder.messageReceiverName() == Messages::NetworkConnectionToWebProcess::messageReceiverName())
         return didReceiveSyncNetworkConnectionToWebProcessMessage(connection, decoder, reply);
@@ -1586,3 +1587,4 @@ void NetworkConnectionToWebProcess::destroyWebTransportSession(WebTransportSessi
 #undef CONNECTION_RELEASE_LOG
 #undef MESSAGE_CHECK_COMPLETION
 #undef MESSAGE_CHECK
+#undef MESSAGE_CHECK_WITH_RETURN_VALUE