[GitHub] trafficserver pull request: Dereferencing a NULL pointer in SpdyCl...

Wed, 04 Nov 2015 19:52:58 -0800 

GitHub user canselcik opened a pull request:

    https://github.com/apache/trafficserver/pull/323

    Dereferencing a NULL pointer in SpdyClientSession::clear()

      - At `SpdyClientSession.cc:28`, `static ClassAllocator<SpdyClientSession> 
spdyClientSessionAllocator` creates an instance of `SpdyClientSession` using 
the default constructor.
      - From that point on, `spdyClientSessionAllocator.alloc()` essentially 
calls memcpy on this prototype as an optimization to return new instances.
      - The regular usage of `SpdyClientSession` ensures that 
`SpdyClientSession::init()` would be called before its destructor is invoked. 
This init function sets the value of the `mutex` pointer inside 
`SpdyClientSession` from its initial value of `NULL`.
      - When `ClassAllocator` is being freed, the destructor on its 
`SpdyClientSession` prototype is called. However, the `mutex` inside the 
prototype is `NULL` and dereferencing it to get to 
`this->mutex->thread_holding` causes a SEGFAULT.
    
    @bgaff 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/canselcik/trafficserver spdy-sigsegv

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/323.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #323
    
----
commit 24c5510c7f89dd7d3aedeba99e5f6f96e01945d5
Author: Can Selcik <[email protected]>
Date:   2015-11-05T03:43:24Z

    Dereferencing a NULL pointer in SpdyClientSession::clear()
    
      - At `SpdyClientSession.cc:28`, `static ClassAllocator<SpdyClientSession> 
spdyClientSessionAllocator` creates an instance of `SpdyClientSession` using 
the default constructor.
      - From that point on, `spdyClientSessionAllocator.alloc()` essentially 
calls memcpy on this prototype as an optimization to return new instances.
      - The regular usage of `SpdyClientSession` ensures that 
`SpdyClientSession::init()` would be called before its destructor is invoked. 
This init function sets the value of the `mutex` pointer inside 
`SpdyClientSession` from its initial value of `NULL`.
      - When `ClassAllocator` is being freed, the destructor on its 
`SpdyClientSession` prototype is called. However, the `mutex` inside the 
prototype is `NULL` and dereferencing it to get to 
`this->mutex->thread_holding` causes a SEGFAULT.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---

Reply via email to