Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

stream_wrap: possible use-after-free in StreamWrap::WriteStringImpl #4599

Closed
bnoordhuis opened this issue Jan 15, 2013 · 1 comment
Closed

stream_wrap: possible use-after-free in StreamWrap::WriteStringImpl #4599

bnoordhuis opened this issue Jan 15, 2013 · 1 comment
Assignees
@bnoordhuis

Comments

@bnoordhuis
Copy link
Member 

    if (args[1]->IsObject()) {
      Local<Object> send_stream_obj = args[1]->ToObject();
      assert(send_stream_obj->InternalFieldCount() > 0);
      StreamWrap* send_stream_wrap = static_cast<StreamWrap*>(
          send_stream_obj->GetAlignedPointerFromInternalField(0));
      send_stream = send_stream_wrap->GetStream();
    }

    r = uv_write2(&req_wrap->req_,
                  wrap->stream_,
                  &buf,
                  1,
                  send_stream,
                  StreamWrap::AfterWrite);

args[1] - the object to send - should not be garbage collected until StreamWrap::AfterWrite is called. It currently works only by accident.

/cc @indutny
@ghost ghost assigned bnoordhuis Jan 15, 2013
@indutny indutny mentioned this issue Jan 25, 2013
Closed
indutny added a commit to indutny/node that referenced this issue Jan 25, 2013
@indutny
stream_wrap: reference handle before uv_write2
688f861 
Before sending handle to another process using uv_write2(), it should be
referenced to prevent it from being GCed before AfterWrite() will be
called.

see nodejs#4599
indutny added a commit that referenced this issue Jan 26, 2013
@indutny
stream_wrap: reference handle before uv_write2
99f0b02 
Before sending handle to another process using uv_write2(), it should be
referenced to prevent it from being GCed before AfterWrite() will be
called.

see #4599
@indutny
Copy link
Member

indutny commented Feb 25, 2013

Was fixed month ago in 99f0b02

@indutny indutny closed this as completed Feb 25, 2013
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bnoordhuis bnoordhuis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indutny @bnoordhuis