Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: use-after-free after ClientNetworkCoordinatorSocketHandler::CloseAllConnections() #9534

Merged
merged 1 commit into from Sep 5, 2021

Conversation

@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Sep 2, 2021

Motivation / Problem

While debugging a GC issue, I managed to cause a use-after-free. Example flow:

Start your own server, and while your server is being probed (takes ~3 seconds), kill the connection (for example by modifying the code or running your own GC that does this).

Possibly there are other ways to trigger a CloseAllConnections.

Description

The function clears all stun-handlers. This causes all of those
objects to be destroyed.
A handler can have a pending connecter, which was only killed in
case CloseConnection() was called. This is never the case when
the object is destroyed. In result, the connecter could finish
and cause a use-after-free by calling into the (now deleted)
handler.

I have no clue why I initially wrote it in CloseConnection() with this comment, and that worries me a bit. I remember there was something special about these objects, but .. yeah, can't remember, and this seems to be the proper solution.

Limitations

Checklist for review

Some things are not automated, and forgotten often. This list is a reminder for the reviewers.

  • The bug fix is important enough to be backported? (label: 'backport requested')
  • This PR touches english.txt or translations? Check the guidelines
  • This PR affects the save game format? (label 'savegame upgrade')
  • This PR affects the GS/AI API? (label 'needs review: Script API')
    • ai_changelog.hpp, gs_changelog.hpp need updating.
    • The compatibility wrappers (compat_*.nut) need updating.
  • This PR affects the NewGRF API? (label 'needs review: NewGRF')
…eAllConnections()

The function clears all stun-handlers. This causes all of those
objects to be destroyed.
A handler can have a pending connecter, which was only killed in
case CloseConnection() was called. This is never the case when
the object is destroyed. In result, the connecter could finish
and cause a use-after-free by calling into the (now deleted)
handler.
LordAro
LordAro approved these changes Sep 2, 2021
Copy link
Member

@LordAro LordAro left a comment

Sure.

Loading

@TrueBrain TrueBrain merged commit f656b0a into OpenTTD:master Sep 5, 2021
14 checks passed
Loading
@TrueBrain TrueBrain deleted the fix-closing-connecter branch Sep 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants