-
Witold Kręcicki authored
When two threads unreferenced handles coming from one socket while the socket was being destructed we could get a use-after-free: Having handle H1 coming from socket S1, H2 coming from socket S2, S0 being a parent socket to S1 and S2: Thread A Thread B Unref handle H1 Unref handle H2 Remove H1 from S1 active handles Remove H2 from S2 active handles nmsocket_maybe_destroy(S1) nmsocket_maybe_destroy(S2) nmsocket_maybe_destroy(S0) nmsocket_maybe_destroy(S0) LOCK(S0->lock) Go through all children, figure out that we have no more active handles: sum of S0->children[i]->ah == 0 UNLOCK(S0->lock) destroy(S0) LOCK(S0->lock) - but S0 is already gone
fd8788eb