You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@trafficserver.apache.org by GitBox <gi...@apache.org> on 2021/06/30 21:46:45 UTC
[GitHub] [trafficserver] shinrich commented on a change in pull request #7845: HTTP/2 Session & ConnectionState Cleanup
shinrich commented on a change in pull request #7845:
URL: https://github.com/apache/trafficserver/pull/7845#discussion_r661832695
##########
File path: proxy/http2/Http2Stream.cc
##########
@@ -190,22 +191,34 @@ Http2Stream::main_event_handler(int event, void *edata)
case VC_EVENT_READ_COMPLETE:
case VC_EVENT_READ_READY:
_timeout.update_inactivity();
- if (e->cookie == &read_vio) {
+ if (e && e->cookie == &read_vio) {
if (read_vio.mutex && read_vio.cont && this->_sm) {
signal_read_event(event);
}
} else {
this->update_read_request(true);
}
break;
+ case VC_EVENT_ERROR:
case VC_EVENT_EOS:
- if (e->cookie == &read_vio) {
+ if (e && e->cookie == &read_vio) {
SCOPED_MUTEX_LOCK(lock, read_vio.mutex, this_ethread());
- read_vio.cont->handleEvent(VC_EVENT_EOS, &read_vio);
- } else if (e->cookie == &write_vio) {
+ read_vio.cont->handleEvent(event, &read_vio);
+ } else if (e && e->cookie == &write_vio) {
SCOPED_MUTEX_LOCK(lock, write_vio.mutex, this_ethread());
- write_vio.cont->handleEvent(VC_EVENT_EOS, &write_vio);
+ write_vio.cont->handleEvent(event, &write_vio);
+ }
+
+ // This assuming stream on inbound side
+ // TODO: make appropriate state
+ if (recv_end_stream && write_vio.cont && write_vio.op == VIO::WRITE && write_vio.nbytes != 0) {
+ SCOPED_MUTEX_LOCK(lock, write_vio.cont->mutex, this_ethread());
+ write_vio.cont->handleEvent(event, &write_vio);
+ } else if (read_vio.cont && read_vio.op == VIO::READ) {
+ SCOPED_MUTEX_LOCK(lock, read_vio.cont->mutex, this_ethread());
+ read_vio.cont->handleEvent(event, &read_vio);
}
Review comment:
This second clause is causing our use after free. Like 209 sends the EOS to our HttpTunnel which then causes everything to cleanup. Then in line 215 we try to access the HttpSM via the write_vio. Don't unnderstand why we need to do this two times.
```
case VC_EVENT_ERROR:
case VC_EVENT_EOS:
if (e && e->cookie == &read_vio) {
SCOPED_MUTEX_LOCK(lock, read_vio.mutex, this_ethread());
read_vio.cont->handleEvent(event, &read_vio);
} else if (e && e->cookie == &write_vio) {
SCOPED_MUTEX_LOCK(lock, write_vio.mutex, this_ethread());
write_vio.cont->handleEvent(event, &write_vio);
}
// This assuming stream on inbound side
// TODO: make appropriate state
if (recv_end_stream && write_vio.cont && write_vio.op == VIO::WRITE && write_vio.nbytes != 0) {
SCOPED_MUTEX_LOCK(lock, write_vio.cont->mutex, this_ethread());
write_vio.cont->handleEvent(event, &write_vio);
} else if (read_vio.cont && read_vio.op == VIO::READ) {
SCOPED_MUTEX_LOCK(lock, read_vio.cont->mutex, this_ethread());
read_vio.cont->handleEvent(event, &read_vio);
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org