tls: fix SSL write error handling

Fix an use-after-free bug in the TLS implementation. If we return from `DoWrite()` with an early error, we should not be storing the `WriteWrap` object and complete it again at a later point, when it has already been freed (because of the write error). This issue was reported by Jordan Zebor at F5 Networks, who also helped with investigating this bug and coming up with a reproduction. This fixes CVE-2018-7162. Fixes: https://github.com/nodejs-private/security/issues/189 PR-URL: https://github.com/nodejs-private/node-private/pull/127 Reviewed-By: Evan Lucas <evanlucas@me.com>
nodejs · Jun 12, 2018 · eea2bce · eea2bce
1 parent 92d7b6c
commit eea2bce
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/src/stream_base.cc b/src/stream_base.cc
@@ -387,6 +387,7 @@ void ReportWritesToJSStreamListener::OnStreamAfterReqFinished(
   AsyncWrap* async_wrap = req_wrap->GetAsyncWrap();
   HandleScope handle_scope(env->isolate());
   Context::Scope context_scope(env->context());
+  CHECK(!async_wrap->persistent().IsEmpty());
   Local<Object> req_wrap_obj = async_wrap->object();
 
   Local<Value> argv[] = {

diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
@@ -622,8 +622,10 @@ int TLSWrap::DoWrite(WriteWrap* w,
   if (i != count) {
     int err;
     Local<Value> arg = GetSSLError(written, &err, &error_);
-    if (!arg.IsEmpty())
+    if (!arg.IsEmpty()) {
+      current_write_ = nullptr;
       return UV_EPROTO;
+    }
 
     pending_cleartext_input_.insert(pending_cleartext_input_.end(),
                                     &bufs[i],