Skip to content

Commit

Permalink
m) Fix: read_ctx maybe accessed after free
Browse files Browse the repository at this point in the history 
read_ctx maybe accessed after free in the following situation:
1) First: qdec_header_process got LQRHS_BLOCKED(like: Required Insert Count not enough, here we assume RIC is 17) from qdec_read_header, and then stash_blocked_header, which means that read_ctx will be inserted to dec->qpd_blocked_headers[id]
2) Second: qdec_header_process got LSRHS_ERROR(like: QPACK decompression error), then it call qdec_remove_header_block and free read_ctx, but read_ctx still be retained in qpd_blocked_headers list
3) Third: RIC 17 is ready, then it will call qdec_process_blocked_headers, and here above read_ctx will be accessed again, but its memory is invalid, which will be coredump.
  • Loading branch information
wangfuyu authored and ivanfywang committed Aug 15, 2022
1 parent 5455da9 commit 94434fb
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lsqpack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4230,7 +4230,7 @@ qdec_header_process (struct lsqpack_dec *dec,

if (read_ctx->hbrc_flags & HBRC_ON_LIST)
{
qdec_remove_header_block(dec, read_ctx);
destroy_header_block_read_ctx(dec, read_ctx);
free(read_ctx);
}

Expand Down

0 comments on commit 94434fb

Please sign in to comment.