Mozilla Foundation Security Advisory 2015-138

Use-after-free in WebRTC when datachannel is used after being destroyed

Announced

December 15, 2015

Reporter

Looben Yang

Impact

Critical

Products

Firefox, Firefox ESR, Firefox OS

Fixed in

Firefox 43
Firefox ESR 38.5
Firefox OS 2.5

Description

Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel, leading to a potentially exploitable crash.

References

UAF due to DataChannelConnection not Destroy()ed before deletion (CVE-2015-7210)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-138

Use-after-free in WebRTC when datachannel is used after being destroyed

Description

References