diff options
| author |  David Garcia Quintas <dgq@google.com> | 2017-08-31 09:05:02 -0700 |
|---|---|---|
| committer | David Garcia Quintas <dgq@google.com> | 2017-08-31 09:16:34 -0700 |
| commit | d49e9a4d21e443af2c37eb33c614eb5b23b7dec7 (patch) | |
| tree | ff31e1493e00914016687f6d3984c5c1d2db16b5 /src/core | |
| parent | 0c21e334c75b4ced6f242f5639daa58899569863 (diff) | |
Fake resolver: Fix use-after-free
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c b/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c index 56ed4371a9..302b73e5e8 100644 --- a/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c +++ b/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c @@ -125,7 +125,6 @@ static const grpc_resolver_vtable fake_resolver_vtable = { struct grpc_fake_resolver_response_generator { fake_resolver* resolver; // Set by the fake_resolver constructor to itself. - grpc_channel_args* next_response; gpr_refcount refcount; }; @@ -151,19 +150,25 @@ void grpc_fake_resolver_response_generator_unref( } } +typedef struct set_response_cb_arg { + grpc_fake_resolver_response_generator* generator; + grpc_channel_args* next_response; +} set_response_cb_arg; + static void set_response_cb(grpc_exec_ctx* exec_ctx, void* arg, grpc_error* error) { - grpc_fake_resolver_response_generator* generator = - (grpc_fake_resolver_response_generator*)arg; + set_response_cb_arg* cb_arg = arg; + grpc_fake_resolver_response_generator* generator = cb_arg->generator; fake_resolver* r = generator->resolver; if (r->next_results != NULL) { grpc_channel_args_destroy(exec_ctx, r->next_results); } - r->next_results = generator->next_response; + r->next_results = cb_arg->next_response; if (r->results_upon_error != NULL) { grpc_channel_args_destroy(exec_ctx, r->results_upon_error); } - r->results_upon_error = grpc_channel_args_copy(generator->next_response); + r->results_upon_error = grpc_channel_args_copy(cb_arg->next_response); + gpr_free(cb_arg); fake_resolver_maybe_finish_next_locked(exec_ctx, r); } @@ -171,9 +176,11 @@ void grpc_fake_resolver_response_generator_set_response( grpc_exec_ctx* exec_ctx, grpc_fake_resolver_response_generator* generator, grpc_channel_args* next_response) { GPR_ASSERT(generator->resolver != NULL); - generator->next_response = grpc_channel_args_copy(next_response); + set_response_cb_arg* cb_arg = gpr_zalloc(sizeof(*cb_arg)); + cb_arg->generator = generator; + cb_arg->next_response = grpc_channel_args_copy(next_response); GRPC_CLOSURE_SCHED( - exec_ctx, GRPC_CLOSURE_CREATE(set_response_cb, generator, + exec_ctx, GRPC_CLOSURE_CREATE(set_response_cb, cb_arg, grpc_combiner_scheduler( generator->resolver->base.combiner)), GRPC_ERROR_NONE); |