[Backport] CVE-2021-30553: Use after free in Network service

Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2949089:
Fix URLLoader cleanup on CorsURLLoaderFactory destruction.

Destroying one URLLoader can result in other URLLoaders getting errors,
due to to cache interconnectedness. CorsURLLoaderFactory's destructor
was not taking that into account.

Also fix a bonus bug:  HttpCache::Transaction::response_ wasn't being
cleared in HttpCache::Transaction::DoHeadersPhaseCannotProceed(), which
could result in DCHECKs when calling GetResponseInfo() when a
transaction that was waiting on a cached response from another
transaction ended up failing.

[M86] Used older API in cors_url_loader_factory_unittest.cc
      Added AddDefaultHandlers to EmbeddedTestServer

(cherry picked from commit 2f49a3c69a2184c95f43a395e4f33a3959cb8dbc)

(cherry picked from commit baf23e3c5b1394982cff718a0e055d4f239245ad)

Bug: 1209769
Change-Id: I2c18caa488767a29011aca1e1b0bace24c1ba8fc
Reviewed-by: Maksim Orlovich <morlovich@chromium.org>
Commit-Queue: Matt Menke <mmenke@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/master@{#887522}
Auto-Submit: Matt Menke <mmenke@chromium.org>
Cr-Original-Commit-Position: refs/branch-heads/4472@{#1433}
Cr-Original-Branched-From: 3d60439cfb36485e76a1c5bb7f513d3721b20da1-refs/heads/master@{#870763}
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/4240@{#1662}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

Author: Matt Menke

chromium/net/http/http_cache_transaction.cc

@@ -2109,6 +2109,8 @@ int HttpCache::Transaction::DoHeadersPhaseCannotProceed(int result) {
   entry_ = nullptr;
   new_entry_ = nullptr;
 
+  SetResponse(HttpResponseInfo());
+
   // Bypass the cache for timeout scenario.
   if (result == ERR_CACHE_LOCK_TIMEOUT)
     effective_load_flags_ |= LOAD_DISABLE_CACHE;

chromium/net/test/embedded_test_server/embedded_test_server.cc

@@ -828,6 +828,10 @@ void EmbeddedTestServer::AddDefaultHandlers(const base::FilePath& directory) {
   RegisterDefaultHandlers(this);
 }
 
+void EmbeddedTestServer::AddDefaultHandlers() {
+  RegisterDefaultHandlers(this);
+}
+
 void EmbeddedTestServer::RegisterRequestHandler(
     const HandleRequestCallback& callback) {
   DCHECK(!io_thread_)

chromium/net/test/embedded_test_server/embedded_test_server.h

@@ -425,6 +425,10 @@ class EmbeddedTestServer {
   // |directory| directory, relative to DIR_SOURCE_ROOT.
   void AddDefaultHandlers(const base::FilePath& directory);
 
+  // Adds all default handlers except, without serving additional files from any
+  // directory.
+  void AddDefaultHandlers();
+
   // Adds a request handler that can perform any general-purpose processing.
   // |callback| will be invoked on the server's IO thread. Note that:
   // 1. All handlers must be registered before the server is Start()ed.

chromium/services/network/cors/cors_url_loader_factory.cc

@@ -229,7 +229,17 @@ CorsURLLoaderFactory::CorsURLLoaderFactory(
       &CorsURLLoaderFactory::DeleteIfNeeded, base::Unretained(this)));
 }
 
-CorsURLLoaderFactory::~CorsURLLoaderFactory() = default;
+CorsURLLoaderFactory::~CorsURLLoaderFactory() {
+  // Delete loaders one at a time, since deleting one loader can cause another
+  // loader waiting on it to fail synchronously, which could result in the other
+  // loader calling DestroyURLLoader().
+  while (!loaders_.empty()) {
+    // No need to call context_->LoaderDestroyed(), since this method is only
+    // called from the NetworkContext's destructor, or when there are no
+    // remaining URLLoaders.
+    loaders_.erase(loaders_.begin());
+  }
+}
 
 void CorsURLLoaderFactory::OnLoaderCreated(
     std::unique_ptr<mojom::URLLoader> loader) {