diff options
| author | Garrett D'Amore <garrett@damore.org> | 2024-12-30 23:32:51 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2024-12-30 23:47:33 -0800 |
| commit | 979d88e8d09f5db265f0f677f66efbef7a346a0e (patch) | |
| tree | 15ed3ac6b2c58a7c52788440790434cfc0717949 | |
| parent | bbb11f6289b9e19e4830fbff95c0b896c4cd938d (diff) | |
| download | nng-979d88e8d09f5db265f0f677f66efbef7a346a0e.tar.gz nng-979d88e8d09f5db265f0f677f66efbef7a346a0e.tar.bz2 nng-979d88e8d09f5db265f0f677f66efbef7a346a0e.zip | |
pipes: fix crash caused by use after free race in rejection
| -rw-r--r-- | src/core/socket.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/core/socket.c b/src/core/socket.c index 42c9a528..89352c03 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1528,16 +1528,21 @@ nni_pipe_add(nni_pipe *p) // nni_pipe_start attempts to start the pipe, adding it to the socket and // endpoints and calling callbacks, etc. The pipe should already have finished -// any negotiation needed at the transport layer. +// any negotiation needed at the transport layer. Note carefully that the pipe +// may be destroyed before this function returns, as a result of work done by +// this function. void nni_pipe_start(nni_pipe *p) { + // exactly one of these must be set. + NNI_ASSERT(p->p_listener == NULL || p->p_dialer == NULL); + NNI_ASSERT(p->p_listener != NULL || p->p_dialer != NULL); + + // NB: starting the pipe can actually cause the pipe + // to be deallocated before this returns (if it is rejected) if (p->p_listener) { - NNI_ASSERT(p->p_dialer == NULL); listener_start_pipe(p->p_listener, p); - } - if (p->p_dialer) { - NNI_ASSERT(p->p_listener == NULL); + } else if (p->p_dialer) { dialer_start_pipe(p->p_dialer, p); } } |