Delay isc__nm_uvreq_t deallocation to connection callback (!5887) · Merge requests · ISC Open Source Projects / BIND

Ondřej Surý requested to merge 3166-delay-isc__nm_uvreq_t-deallocation into main Feb 23, 2022

When the TCP, TCPDNS or TLSDNS connection times out, the isc__nm_uvreq_t would be pushed into sock->inactivereqs before the uv_tcp_connect() callback finishes. Because the isc__nmsocket_t keeps the list of inactive isc__nm_uvreq_t, this would cause use-after-free only when the sock->inactivereqs is full (which could never happen because the failure happens in connection timeout callback) or when the sock->inactivereqs mechanism is completely removed (f.e. when running under Address or Thread Sanitizer).

Delay isc__nm_uvreq_t deallocation to the connection callback and only signal the connection callback should be called by shutting down the libuv socket from the connection timeout callback.

Closes #3166 (closed)

Edited Feb 23, 2022 by Evan Hunt

Delay isc__nm_uvreq_t deallocation to connection callback

Merge request reports