[trafficserver] branch 7.1.x updated: heap use after free

Wed, 21 Feb 2018 13:23:29 -0800 

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
     new b2ec090  heap use after free
b2ec090 is described below

commit b2ec090915cb2ec89a7ffe90f646e4da2a5eda3b
Author: Fei Deng <[email protected]>
AuthorDate: Thu Feb 15 15:34:29 2018 -0600

    heap use after free
---
 iocore/net/UnixNetVConnection.cc | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc
index cd561b6..5e246c1 100644
--- a/iocore/net/UnixNetVConnection.cc
+++ b/iocore/net/UnixNetVConnection.cc
@@ -1498,17 +1498,8 @@ UnixNetVConnection::migrateToCurrentThread(Continuation 
*cont, EThread *t)
   SSLNetVConnection *sslvc = dynamic_cast<SSLNetVConnection *>(this);
 
   SSL *save_ssl = (sslvc) ? sslvc->ssl : nullptr;
-  if (save_ssl) {
-    SSLNetVCDetach(sslvc->ssl);
-    sslvc->ssl = nullptr;
-  }
 
-  // Do_io_close will signal the VC to be freed on the original thread
-  // Since we moved the con context, the fd will not be closed
-  // Go ahead and remove the fd from the original thread's epoll structure, so 
it is not
-  // processed on two threads simultaneously
-  this->ep.stop();
-  this->do_io_close();
+  UnixNetVConnection *ret_vc = nullptr;
 
   // Create new VC:
   if (save_ssl) {
@@ -1518,8 +1509,8 @@ UnixNetVConnection::migrateToCurrentThread(Continuation 
*cont, EThread *t)
       sslvc = nullptr;
     } else {
       sslvc->set_context(get_context());
+      ret_vc = sslvc;
     }
-    return sslvc;
     // Update the SSL fields
   } else {
     UnixNetVConnection *netvc = static_cast<UnixNetVConnection 
*>(netProcessor.allocate_vc(t));
@@ -1528,9 +1519,27 @@ UnixNetVConnection::migrateToCurrentThread(Continuation 
*cont, EThread *t)
       netvc = nullptr;
     } else {
       netvc->set_context(get_context());
+      ret_vc = netvc;
+    }
+  }
+
+  // clear con.fd and ssl ctx from this NetVC since a new NetVC is created.
+  if (ret_vc != nullptr) {
+    if (save_ssl) {
+      SSLNetVCDetach(sslvc->ssl);
+      sslvc->ssl = nullptr;
     }
-    return netvc;
+    ink_assert(this->con.fd == NO_FD);
+
+    // Do_io_close will signal the VC to be freed on the original thread
+    // Since we moved the con context, the fd will not be closed
+    // Go ahead and remove the fd from the original thread's epoll structure, 
so it is not
+    // processed on two threads simultaneously
+    this->ep.stop();
+    this->do_io_close();
   }
+
+  return ret_vc;
 }
 
 void

-- 
To stop receiving notification emails like this one, please contact
[email protected].

Reply via email to