http2: avoid uaf while receiving and sending rst_stream#64166
Conversation
|
Review requested:
|
|
Can you use "-s" (for Signed-off-by) in first commit command, after run this command after: |
Mark the session as receiving around nghttp2_session_mem_recv() and defer RST_STREAM handling while receive is in progress. This prevents closing a stream while nghttp2 still processes it and avoids heap-use-after-free in nghttp2_session_mem_recv2(). Fixes: nodejs#64113 Signed-off-by: Evgeniy Gorbanev <gorbanev.es@gmail.com>
|
Is everything correct now? |
RafaelGSS
left a comment
There was a problem hiding this comment.
Can you add a test case or an script that we could reproduce it?
The scripts are in the issue #64113 |
| // Do not call `nghttp2_session_mem_send()` while nghttp2 is processing | ||
| // incoming data. Sending may close the stream and free nghttp2 state | ||
| // that is still in use by `nghttp2_session_mem_recv()`. | ||
| if (session_->is_receiving() && available_outbound_length_ == 0) { |
There was a problem hiding this comment.
I think available_outbound_length_ == 0 still leaves the exact same UAF issue for the pending-writes case. E.g. if you write any data during a receive callback and then reset, this check would be false, and we'll miss this fix but hit the old UAF behaviour regardless.
I haven't tested this but looks very plausible, let me know if I've missed something.
If you move & invert (>0) the check into the inner if (so we always reset here in all receive cases, but we defer the reset for both cancel codes and pending-writes) then that'd cover this case as well.
Mark the session as receiving around nghttp2_session_mem_recv() and defer RST_STREAM handling while receive is in progress. This prevents closing a stream while nghttp2 still processes it and avoids heap-use-after-free in nghttp2_session_mem_recv2().
Fixes: #64113