◐ Shell
clean mode source ↗

tls: use after free in tls_wrap by kfarnung · Pull Request #18860 · nodejs/node

kfarnung

@nodejs-github-bot nodejs-github-bot added c++

Issues and PRs that require attention from people who are familiar with C++.

lib / src

Issues and PRs related to general changes in the lib or src directory.

labels

Feb 19, 2018

addaleax

@kfarnung kfarnung changed the title src: use after free in tls_wrap tls: use after free in tls_wrap

Feb 20, 2018

@BridgeAR BridgeAR added the author ready

PRs that have at least one approval, no pending requests for changes, and a CI started.

label

Feb 21, 2018 
The root cause is that `req_wrap` is created in `StreamBase::Write`
and passed to `TLSWrap::DoWrite`. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the `StreamBase::Write` method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
`WriteWrap::SetAllocatedStorage` because the pointer is non-null.

PR-URL: nodejs#18860
Refs: nodejs#18676
Reviewed-By: Anna Henningsen <anna@addaleax.net>

addaleax pushed a commit to addaleax/node that referenced this pull request

Feb 27, 2018 
The root cause is that `req_wrap` is created in `StreamBase::Write`
and passed to `TLSWrap::DoWrite`. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the `StreamBase::Write` method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
`WriteWrap::SetAllocatedStorage` because the pointer is non-null.

PR-URL: nodejs#18860
Refs: nodejs#18676
Reviewed-By: Anna Henningsen <anna@addaleax.net>

MayaLekova pushed a commit to MayaLekova/node that referenced this pull request

May 8, 2018 
The root cause is that `req_wrap` is created in `StreamBase::Write`
and passed to `TLSWrap::DoWrite`. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the `StreamBase::Write` method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
`WriteWrap::SetAllocatedStorage` because the pointer is non-null.

PR-URL: nodejs#18860
Refs: nodejs#18676
Reviewed-By: Anna Henningsen <anna@addaleax.net>