Summary
HCCleanupAsync can overlap completion of an in-flight HTTP request. If the HTTP completion callback frees its XAsyncBlock, cleanup can subsequently attempt to XAsyncCancel that same block, creating a potential use-after-free. This hazard was introduced with #931.
Impact
- Potential use-after-free on the client-owned
XAsyncBlock
- Nondeterministic cleanup/completion ordering for HTTP performs
- Possible follow-on failures in later operations once the race is hit
Expected behavior
Once the HTTP completion callback begins running, library cleanup should no longer treat that request as cancelable through the client-owned XAsyncBlock.
Actual behavior
During cleanup, the request can still be observed as active and cancelable while the client completion callback is already executing.
Repro
At a high level:
- Initialize libHttpClient.
- Create a mocked HTTP call and perform it asynchronously.
- Let the completion callback run on the client-owned
XAsyncBlock.
- Observe that cleanup can still treat that request as cancelable from within the callback window.
Note
A PR fix will be inbound after internal review.
Summary
HCCleanupAsynccan overlap completion of an in-flight HTTP request. If the HTTP completion callback frees itsXAsyncBlock, cleanup can subsequently attempt toXAsyncCancelthat same block, creating a potential use-after-free. This hazard was introduced with #931.Impact
XAsyncBlockExpected behavior
Once the HTTP completion callback begins running, library cleanup should no longer treat that request as cancelable through the client-owned
XAsyncBlock.Actual behavior
During cleanup, the request can still be observed as active and cancelable while the client completion callback is already executing.
Repro
At a high level:
XAsyncBlock.Note
A PR fix will be inbound after internal review.