Skip to content

Commit

Permalink
FIX: potential use-after-free in tls_proxy
Browse files Browse the repository at this point in the history
If the TLS session to the client was established (when tls_session_activated()
was called), and the connection to the server was also established successfully
(ec in onConnect() callback was not set); but -- in the mean time -- the this-
pointer was deallocated via std::enable_shared_from_this, we end up in a use-
after free situation.

This sporadically apeeared in CI but wasn't reproducible locally, see randombit#4112.
  • Loading branch information
reneme committed Jul 2, 2024
1 parent 3657a72 commit 9f68d9d
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions src/cli/tls_proxy.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -282,13 +282,18 @@ class tls_proxy_session final : public std::enable_shared_from_this<tls_proxy_se
}

void tls_session_activated() override {
auto onConnect = [this](boost::system::error_code ec, const tcp::resolver::iterator& /*endpoint*/) {
auto onConnect = [self = weak_from_this()](boost::system::error_code ec,
const tcp::resolver::iterator& /*endpoint*/) {
if(ec) {
log_error("Server connection", ec);
return;
}
server_read(boost::system::error_code(), 0); // start read loop
proxy_write_to_server({});
if(self.expired()) {
log_error("Server connection established, but client session already closed");
return;
}
self.lock()->server_read(boost::system::error_code(), 0); // start read loop
self.lock()->proxy_write_to_server({});
};
async_connect(m_server_socket, m_server_endpoints, onConnect);
}
Expand Down

0 comments on commit 9f68d9d

Please sign in to comment.