Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix buffer use after it was released when sending an INVALID_TOKEN error #2524

Merged
merged 1 commit into from
May 5, 2020

Conversation

marten-seemann
Copy link
Member

Related to #2520.

@codecov-io
Copy link

codecov-io commented May 5, 2020

Codecov Report

Merging #2524 into master will decrease coverage by 0.00%.
The diff coverage is 91.67%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2524      +/-   ##
==========================================
- Coverage   86.14%   86.14%   -0.00%     
==========================================
  Files         122      122              
  Lines        9536     9535       -1     
==========================================
- Hits         8214     8213       -1     
  Misses        984      984              
  Partials      338      338              
Impacted Files Coverage Δ
server.go 83.44% <91.67%> (-0.05%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c0b6d4e...aebf238. Read the comment docs.

@marten-seemann marten-seemann force-pushed the fix-buffer-use-after-release branch from 8bb5cea to aebf238 Compare May 5, 2020 05:19
@@ -292,7 +292,7 @@ func (s *baseServer) handlePacket(p *receivedPacket) {
}
}

func (s *baseServer) handlePacketImpl(p *receivedPacket) bool /* was the packet handled */ {
func (s *baseServer) handlePacketImpl(p *receivedPacket) bool /* should the buffer be released */ {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems quite brittle, similar to manual mem management in C. Is there a way to have all free-ing always be done by a single function? If not, maybe it's worth copying the buf contents in those cases? I think we could take a small perf hit over the risk of serious security issues…?

Is there a way we can avoid similar bugs in the future, make sure we always release buffers properly? With tests we probably can't guarantee full coverage.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The race detector will help us with that. In fact, that's how I found this issue.
When you use a buffer that you already released, and this buffer is used again, this is a race condition. Even if the detection is not 100% guaranteed, at least the test will be flaky...

@marten-seemann marten-seemann merged commit 2e402ff into master May 5, 2020
@marten-seemann marten-seemann deleted the fix-buffer-use-after-release branch May 5, 2020 12:15
@Stebalien Stebalien mentioned this pull request May 26, 2020
77 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants