This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 415644e Address possibe use after free issue in
HttpVCTable::remove_entry
415644e is described below
commit 415644e9f472562d21333b3a6f25b1b8f7661f7f
Author: Susan Hinrichs <[email protected]>
AuthorDate: Fri Aug 9 15:02:20 2019 +0000
Address possibe use after free issue in HttpVCTable::remove_entry
(cherry picked from commit 996d7dace90585a5f297f9c625795f301c8bf083)
---
proxy/http/HttpSM.cc | 24 ++++--------------------
1 file changed, 4 insertions(+), 20 deletions(-)
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 62775ce..e36aed9 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -194,26 +194,10 @@ HttpVCTable::remove_entry(HttpVCTableEntry *e)
free_MIOBuffer(e->write_buffer);
e->write_buffer = nullptr;
}
- if (e->read_vio != nullptr && e->read_vio->cont == sm) {
- // Cleanup dangling i/o
- if (e == sm->get_ua_entry() && sm->get_ua_txn() != nullptr) {
- e->read_vio = sm->get_ua_txn()->do_io_read(nullptr, 0, nullptr);
- } else if (e == sm->get_server_entry() && sm->get_server_session()) {
- e->read_vio = sm->get_server_session()->do_io_read(nullptr, 0, nullptr);
- } else {
- ink_release_assert(false);
- }
- }
- if (e->write_vio != nullptr && e->write_vio->cont == sm) {
- // Cleanup dangling i/o
- if (e == sm->get_ua_entry() && sm->get_ua_txn()) {
- e->write_vio = sm->get_ua_txn()->do_io_write(nullptr, 0, nullptr);
- } else if (e == sm->get_server_entry() && sm->get_server_session()) {
- e->write_vio = sm->get_server_session()->do_io_write(nullptr, 0,
nullptr);
- } else {
- ink_release_assert(false);
- }
- }
+ // Cannot reach in to checkout the netvc
+ // for remaining I/O operations because the netvc
+ // may have been deleted at this point and the pointer
+ // could be stale.
e->read_vio = nullptr;
e->write_vio = nullptr;
e->vc_handler = nullptr;
