You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2020/02/05 18:04:56 UTC
[trafficserver] branch 9.0.x updated: Fix heap-use-after-free on
Http2Stream::destroy()
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 170cabe Fix heap-use-after-free on Http2Stream::destroy()
170cabe is described below
commit 170cabe81932feb39f46a9462e1e423a92d4dca9
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Mon Jan 27 13:36:01 2020 +0900
Fix heap-use-after-free on Http2Stream::destroy()
(cherry picked from commit ca6747102646080fe03046384488150ce93143d9)
---
proxy/http2/Http2Stream.cc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/proxy/http2/Http2Stream.cc b/proxy/http2/Http2Stream.cc
index ecbec35..f3519c3 100644
--- a/proxy/http2/Http2Stream.cc
+++ b/proxy/http2/Http2Stream.cc
@@ -757,6 +757,8 @@ Http2Stream::destroy()
// Safe to initiate SSN_CLOSE if this is the last stream
if (_proxy_ssn) {
+ cid = _proxy_ssn->connection_id();
+
Http2ClientSession *h2_proxy_ssn = static_cast<Http2ClientSession *>(_proxy_ssn);
SCOPED_MUTEX_LOCK(lock, h2_proxy_ssn->connection_state.mutex, this_ethread());
// Make sure the stream is removed from the stream list and priority tree
@@ -766,7 +768,7 @@ Http2Stream::destroy()
// Update session's stream counts, so it accurately goes into keep-alive state
h2_proxy_ssn->connection_state.release_stream(this);
- cid = _proxy_ssn->connection_id();
+ // Do not access `_proxy_ssn` in below. It might be freed by `release_stream`.
}
// Clean up the write VIO in case of inactivity timeout