diff options
| author |  Craig Tiller <ctiller@google.com> | 2016-10-27 16:51:25 -0700 |
|---|---|---|
| committer | Craig Tiller <ctiller@google.com> | 2016-10-27 16:51:25 -0700 |
| commit | 693d3949b420aac2f4e9956eedaf4296b64c689f (patch) | |
| tree | 25781474e83bd6aa7c8f992a5b44f9c108aeeae5 /src/core/ext/client_channel/client_channel.c | |
| parent | 7a4089769db7af2d75a6e09708896746a3cc08bd (diff) | |
Fix potential use-after-free: connected subchannel gets destroyed after its been picked by an lbpolicy
Diffstat (limited to 'src/core/ext/client_channel/client_channel.c')
| -rw-r--r-- | src/core/ext/client_channel/client_channel.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/core/ext/client_channel/client_channel.c b/src/core/ext/client_channel/client_channel.c index 80b4f048c2..ff773ac334 100644 --- a/src/core/ext/client_channel/client_channel.c +++ b/src/core/ext/client_channel/client_channel.c @@ -1022,6 +1022,10 @@ static void cc_destroy_call_elem(grpc_exec_ctx *exec_ctx, GPR_ASSERT(calld->creation_phase == GRPC_SUBCHANNEL_CALL_HOLDER_NOT_CREATING); gpr_mu_destroy(&calld->mu); GPR_ASSERT(calld->waiting_ops_count == 0); + if (calld->connected_subchannel != NULL) { + GRPC_CONNECTED_SUBCHANNEL_UNREF(exec_ctx, calld->connected_subchannel, + "picked"); + } gpr_free(calld->waiting_ops); gpr_free(and_free_memory); } |