Fixup use-after-free error in streams tee #102

jasnell · 2022-10-13T19:50:23Z

No description provided.

jasnell · 2022-10-13T19:52:28Z

jasnell · 2022-10-13T20:08:07Z

src/workerd/api/streams/standard.c++

@@ -1660,10 +1660,14 @@ ReadableStreamJsController::ReadableStreamJsController(
    : state(consumer.clone(js, this)) {}

 ReadableStreamJsController::ReadableStreamJsController(kj::Own<ValueReadable> consumer)
-    : state(kj::mv(consumer)) {}
+    : state(kj::mv(consumer)) {
+  state.get<kj::Own<ValueReadable>>()->setOwner(this);


Root cause here is that the ValueReadable and ByteReadable were retaining the pointer to the previous owner. ReadableStreamJsSource was handling this case properly but missed it here.

This reverts commit 39a3365.

jasnell requested review from kentonv, harrishancock, mikea, jclee, a-robinson, bretthoerner and byule as code owners October 13, 2022 19:50

jasnell commented Oct 13, 2022

View reviewed changes

Fixup use-after-free error in streams tee

04d1f09

jasnell force-pushed the jsnell/maybe-fix-tee-uaf branch from 8349243 to 04d1f09 Compare October 13, 2022 20:40

harrishancock approved these changes Oct 14, 2022

View reviewed changes

jasnell merged commit 39a3365 into main Oct 14, 2022

jasnell deleted the jsnell/maybe-fix-tee-uaf branch October 14, 2022 14:37

harrishancock added a commit that referenced this pull request Oct 24, 2022

Revert "Fixup use-after-free error in streams tee (#102)"

11cefde

This reverts commit 39a3365.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixup use-after-free error in streams tee #102

Fixup use-after-free error in streams tee #102

jasnell commented Oct 13, 2022

jasnell commented Oct 13, 2022

jasnell Oct 13, 2022

Fixup use-after-free error in streams tee #102

Fixup use-after-free error in streams tee #102

Conversation

jasnell commented Oct 13, 2022

jasnell commented Oct 13, 2022

jasnell Oct 13, 2022

Choose a reason for hiding this comment