diff options
| author | Kyle Farnung <kfarnung@microsoft.com> | 2018-02-18 01:16:02 -0800 |
|---|---|---|
| committer | Kyle Farnung <kfarnung@microsoft.com> | 2018-02-23 16:13:51 -0800 |
| commit | 743f8904cca16d87c8ac856488bf021849a43383 (patch) | |
| tree | a377e1863db14a51a5c200c573bc030b4d56ce34 /src/tls_wrap.h | |
| parent | a29089d7c866955616c0e363843017e9b9b2a736 (diff) | |
| download | android-node-v8-743f8904cca16d87c8ac856488bf021849a43383.tar.gz android-node-v8-743f8904cca16d87c8ac856488bf021849a43383.tar.bz2 android-node-v8-743f8904cca16d87c8ac856488bf021849a43383.zip | |
tls: use after free in tls_wrap
The root cause is that `req_wrap` is created in `StreamBase::Write`
and passed to `TLSWrap::DoWrite`. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the `StreamBase::Write` method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
`WriteWrap::SetAllocatedStorage` because the pointer is non-null.
PR-URL: https://github.com/nodejs/node/pull/18860
Refs: https://github.com/nodejs/node/pull/18676
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Diffstat (limited to 'src/tls_wrap.h')
| -rw-r--r-- | src/tls_wrap.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/tls_wrap.h b/src/tls_wrap.h index afd19c027e..245a6d518a 100644 --- a/src/tls_wrap.h +++ b/src/tls_wrap.h @@ -152,6 +152,7 @@ class TLSWrap : public AsyncWrap, std::vector<uv_buf_t> pending_cleartext_input_; size_t write_size_; WriteWrap* current_write_ = nullptr; + WriteWrap* current_empty_write_ = nullptr; bool write_callback_scheduled_ = false; bool started_; bool established_; |