tls: use after free in tls_wrap
The root cause is that req_wrap
is created in StreamBase::Write
and passed to TLSWrap::DoWrite
. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the StreamBase::Write
method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
WriteWrap::SetAllocatedStorage
because the pointer is non-null.
Refs: #18676
This was introduced in @addaleax recent PR (#18676) and hasn't propagated to any release branches yet, so I'm going ahead and opening a PR here.
In node-chakracore this was causing a pretty consistent crash only on macOS.
Checklist
-
make -j4 test
(UNIX), orvcbuild test
(Windows) passes -
commit message follows commit guidelines
Affected core subsystem(s)
tls