Remove session use-after free#6574
Closed
shinrich wants to merge 1 commit intoapache:masterfrom
Closed
Conversation
Member
Author
|
[approve ci debian] |
Contributor
|
Have you or @bneradt retested to make sure this is really a fix? |
Member
Author
|
Yes, @bneradt reran ASAN with this change. |
Closed
Member
Author
|
There are better ways of doing this by reconsidering the "fix" that caused this use after free. I have a new branch to PR once we get some more experience with it. |
Contributor
|
Please remember to remove Milestone and Projects from PRs that are closed without merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I had added these client_vc checks to try and address stale references to client_vc pointers that we were seeing. However referencing the session object after calling do_io_close is dangerous because the session object may have been freed on return. @bneradt caught this as a use-after-free when working with an ASAN build and the traffic-dump plugin in our prod sym environment.
My current theory on the stale client_vc is that the netvc is closing due to EOS or an error while the read/write_vio's have the continuation set to 0. In that case the SM/tunnel/session will not be notified that the netvc has been deleted. I added a Warning message so we can look for that case in our logs. Thought about adding an assert, but I figured the Warning would be less invasive. It may be ok to have an unattached netvc in some cases.
I also removed one set of do_io_read null's that I don't think are necessary.