[master] 9f1d6a906 v1l: Prevent conceptual use-after-free
Dridi Boukelmoune
dridi.boukelmoune at gmail.com
Tue Aug 17 06:57:06 UTC 2021
commit 9f1d6a906b1d99b4d4daea2caf99578e640544c8
Author: Dridi Boukelmoune <dridi.boukelmoune at gmail.com>
Date: Tue Jul 13 07:55:15 2021 +0200
v1l: Prevent conceptual use-after-free
The miniobj resides in the workspace it's rolling back. To preserve its
zeroing we need to roll back afterwards.
diff --git a/bin/varnishd/http1/cache_http1_line.c b/bin/varnishd/http1/cache_http1_line.c
index 52e1c88b0..006119e98 100644
--- a/bin/varnishd/http1/cache_http1_line.c
+++ b/bin/varnishd/http1/cache_http1_line.c
@@ -127,6 +127,8 @@ enum sess_close
V1L_Close(struct worker *wrk, uint64_t *cnt)
{
struct v1l *v1l;
+ struct ws *ws;
+ uintptr_t ws_snap;
enum sess_close sc;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
@@ -136,8 +138,10 @@ V1L_Close(struct worker *wrk, uint64_t *cnt)
wrk->v1l = NULL;
CHECK_OBJ_NOTNULL(v1l, V1L_MAGIC);
*cnt = v1l->cnt;
- WS_Rollback(v1l->ws, v1l->ws_snap);
+ ws = v1l->ws;
+ ws_snap = v1l->ws_snap;
ZERO_OBJ(v1l, sizeof *v1l);
+ WS_Rollback(ws, ws_snap);
return (sc);
}
More information about the varnish-commit
mailing list