tls: use after free in tls_wrap (!18860) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/kfarnung/wrap-use-after-free into master Feb 19, 2018

The root cause is that req_wrap is created in StreamBase::Write and passed to TLSWrap::DoWrite. In the TLS case the object gets disposed and replaced with a new instance, but the caller's pointer is never updated. When the StreamBase::Write method returns, it returns a pointer to the freed object to the caller. In some cases when the object memory has already been reused an assert is hit in WriteWrap::SetAllocatedStorage because the pointer is non-null.

Refs: #18676

This was introduced in @addaleax recent PR (#18676) and hasn't propagated to any release branches yet, so I'm going ahead and opening a PR here.

In node-chakracore this was causing a pretty consistent crash only on macOS.

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
commit message follows commit guidelines

Affected core subsystem(s)

tls

Admin message

Admin message

tls: use after free in tls_wrap

Checklist

Affected core subsystem(s)

Merge request reports