Address use-after-move of single_slice_buffer.

If the lambda is created before we access frontSlice().mem_, then this may result in a nullptr dereference. This seems to be implementation-defined. Signed-off-by: Steve Wang <[email protected]>
envoyproxy · Dec 11, 2023 · 44af392 · 44af392
1 parent 42a1222
commit 44af392
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc
@@ -154,7 +154,7 @@ void EnvoyQuicClientStream::encodeData(Buffer::Instance& data, bool end_stream)
         auto single_slice_buffer = std::make_unique<Buffer::OwnedImpl>();
         single_slice_buffer->move(data, slice.len_);
         quic_slices.emplace_back(
-            reinterpret_cast<char*>(single_slice_buffer->frontSlice().mem_), slice.len_,
+            reinterpret_cast<char*>(slice.mem_), slice.len_,
             [single_slice_buffer = std::move(single_slice_buffer)](const char*) mutable {
               // Free this memory explicitly when the callback is invoked.
               single_slice_buffer = nullptr;

diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc
@@ -128,7 +128,7 @@ void EnvoyQuicServerStream::encodeData(Buffer::Instance& data, bool end_stream)
         auto single_slice_buffer = std::make_unique<Buffer::OwnedImpl>();
         single_slice_buffer->move(data, slice.len_);
         quic_slices.emplace_back(
-            reinterpret_cast<char*>(single_slice_buffer->frontSlice().mem_), slice.len_,
+            reinterpret_cast<char*>(slice.mem_), slice.len_,
             [single_slice_buffer = std::move(single_slice_buffer)](const char*) mutable {
               // Free this memory explicitly when the callback is invoked.
               single_slice_buffer = nullptr;