Skip to content
Snippets Groups Projects
Commit 873d575c authored by Craig Tiller's avatar Craig Tiller Committed by GitHub
Browse files

Merge pull request #8755 from ctiller/fangmeister 

Fix use-after-free in time parse caching
parents 354d075b 738e6dbc
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/core/ext/transport/chttp2/transport/parsing.c
+ 2
1
View file @ 873d575c
...@@ -471,7 +471,8 @@ static void on_initial_header(grpc_exec_ctx *exec_ctx, void *tp, ...@@ -471,7 +471,8 @@ static void on_initial_header(grpc_exec_ctx *exec_ctx, void *tp,
grpc_mdstr_as_c_string(md->value)); grpc_mdstr_as_c_string(md->value));
*cached_timeout = gpr_inf_future(GPR_TIMESPAN); *cached_timeout = gpr_inf_future(GPR_TIMESPAN);
} }
grpc_mdelem_set_user_data(md, free_timeout, cached_timeout); cached_timeout =
grpc_mdelem_set_user_data(md, free_timeout, cached_timeout);
} }
grpc_chttp2_incoming_metadata_buffer_set_deadline( grpc_chttp2_incoming_metadata_buffer_set_deadline(
&s->metadata_buffer[0], &s->metadata_buffer[0],
......
src/core/lib/transport/metadata.c
+ 4
3
View file @ 873d575c
...@@ -728,8 +728,8 @@ void *grpc_mdelem_get_user_data(grpc_mdelem *md, void (*destroy_func)(void *)) { ...@@ -728,8 +728,8 @@ void *grpc_mdelem_get_user_data(grpc_mdelem *md, void (*destroy_func)(void *)) {
return result; return result;
} }
void grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *), void *grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *),
void *user_data) { void *user_data) {
internal_metadata *im = (internal_metadata *)md; internal_metadata *im = (internal_metadata *)md;
GPR_ASSERT(!is_mdelem_static(md)); GPR_ASSERT(!is_mdelem_static(md));
GPR_ASSERT((user_data == NULL) == (destroy_func == NULL)); GPR_ASSERT((user_data == NULL) == (destroy_func == NULL));
...@@ -740,11 +740,12 @@ void grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *), ...@@ -740,11 +740,12 @@ void grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *),
if (destroy_func != NULL) { if (destroy_func != NULL) {
destroy_func(user_data); destroy_func(user_data);
} }
return; return (void *)gpr_atm_no_barrier_load(&im->user_data);
} }
gpr_atm_no_barrier_store(&im->user_data, (gpr_atm)user_data); gpr_atm_no_barrier_store(&im->user_data, (gpr_atm)user_data);
gpr_atm_rel_store(&im->destroy_user_data, (gpr_atm)destroy_func); gpr_atm_rel_store(&im->destroy_user_data, (gpr_atm)destroy_func);
gpr_mu_unlock(&im->mu_user_data); gpr_mu_unlock(&im->mu_user_data);
return user_data;
} }
grpc_slice grpc_mdstr_as_base64_encoded_and_huffman_compressed(grpc_mdstr *gs) { grpc_slice grpc_mdstr_as_base64_encoded_and_huffman_compressed(grpc_mdstr *gs) {
......
src/core/lib/transport/metadata.h
+ 2
2
View file @ 873d575c
...@@ -120,8 +120,8 @@ size_t grpc_mdelem_get_size_in_hpack_table(grpc_mdelem *elem); ...@@ -120,8 +120,8 @@ size_t grpc_mdelem_get_size_in_hpack_table(grpc_mdelem *elem);
is used as a type tag and is checked during user_data fetch. */ is used as a type tag and is checked during user_data fetch. */
void *grpc_mdelem_get_user_data(grpc_mdelem *md, void *grpc_mdelem_get_user_data(grpc_mdelem *md,
void (*if_destroy_func)(void *)); void (*if_destroy_func)(void *));
void grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *), void *grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *),
void *user_data); void *user_data);
/* Reference counting */ /* Reference counting */
//#define GRPC_METADATA_REFCOUNT_DEBUG //#define GRPC_METADATA_REFCOUNT_DEBUG
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment