From 979d88e8d09f5db265f0f677f66efbef7a346a0e Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Mon, 30 Dec 2024 23:32:51 -0800 Subject: pipes: fix crash caused by use after free race in rejection --- src/core/socket.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src/core/socket.c') diff --git a/src/core/socket.c b/src/core/socket.c index 42c9a528..89352c03 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1528,16 +1528,21 @@ nni_pipe_add(nni_pipe *p) // nni_pipe_start attempts to start the pipe, adding it to the socket and // endpoints and calling callbacks, etc. The pipe should already have finished -// any negotiation needed at the transport layer. +// any negotiation needed at the transport layer. Note carefully that the pipe +// may be destroyed before this function returns, as a result of work done by +// this function. void nni_pipe_start(nni_pipe *p) { + // exactly one of these must be set. + NNI_ASSERT(p->p_listener == NULL || p->p_dialer == NULL); + NNI_ASSERT(p->p_listener != NULL || p->p_dialer != NULL); + + // NB: starting the pipe can actually cause the pipe + // to be deallocated before this returns (if it is rejected) if (p->p_listener) { - NNI_ASSERT(p->p_dialer == NULL); listener_start_pipe(p->p_listener, p); - } - if (p->p_dialer) { - NNI_ASSERT(p->p_listener == NULL); + } else if (p->p_dialer) { dialer_start_pipe(p->p_dialer, p); } } -- cgit v1.2.3-70-g09d2