From 710886fbdd993c3a618ea8bc8b59fbb3e18cfbf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= Date: Thu, 3 Dec 2020 15:08:52 +0100 Subject: [PATCH] QSocks5SocketEngine: fix reference to dangling data Following a41c61fb2d2f973fd1cd5e95ee5be1ac1a4f8433 QIODevice may try to copy the QByteArray itself (rather than the data it points to). This can lead referencing dangling data when the QByteArray is initialized with raw data. Pick-to: 6.0 Change-Id: I481695b33f251f750ef482d72b81636f0d4bf462 Reviewed-by: Thiago Macieira --- src/network/socket/qsocks5socketengine.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/network/socket/qsocks5socketengine.cpp b/src/network/socket/qsocks5socketengine.cpp index a88931f7074..339116d402f 100644 --- a/src/network/socket/qsocks5socketengine.cpp +++ b/src/network/socket/qsocks5socketengine.cpp @@ -1525,8 +1525,12 @@ qint64 QSocks5SocketEngine::write(const char *data, qint64 len) if (!d->data->authenticator->seal(buf, &sealedBuf)) { // ### Handle this error. } + // We pass pointer and size because 'sealedBuf' is (most definitely) raw data: + // QIODevice might have to cache the byte array if the socket cannot write the data. + // If the _whole_ array needs to be cached then it would simply store a copy of the + // array whose data will go out of scope and be deallocated before it can be used. + qint64 written = d->data->controlSocket->write(sealedBuf.constData(), sealedBuf.size()); - qint64 written = d->data->controlSocket->write(sealedBuf); if (written <= 0) { QSOCKS5_Q_DEBUG << "native write returned" << written; return written;