nghttpx: Fix heap-after-free crash in https upstream

Add Upstream::on_handler_delete() hook to safely write log for HttpsUpstream.

nghttpx: Fix heap-after-free crash in https upstream
Add Upstream::on_handler_delete() hook to safely write log for HttpsUpstream.
27609327 · Tatsuhiro Tsujikawa · 958cd0de · 27609327 · 27609327 · 27609327
Commit 27609327 authored Nov 19, 2014 by Tatsuhiro Tsujikawa
8 changed files
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@@ -221,6 +221,10 @@ ClientHandler::~ClientHandler()
    CLOG(INFO, this) << "Deleting";
  }
+  if(upstream_) {
+    upstream_->on_handler_delete();
+  }
  --worker_stat_->num_connections;
  // TODO If backend is http/2, and it is in CONNECTED state, signal

--- a/src/shrpx_http2_upstream.cc
+++ b/src/shrpx_http2_upstream.cc
@@ -1466,4 +1466,7 @@ void Http2Upstream::reset_timeouts()
                                  &get_config()->upstream_write_timeout);
 }
+void Http2Upstream::on_handler_delete()
+{}
 } // namespace shrpx
--- a/src/shrpx_http2_upstream.h
+++ b/src/shrpx_http2_upstream.h
@@ -74,6 +74,8 @@ public:
                                 const uint8_t *data, size_t len, bool flush);
  virtual int on_downstream_body_complete(Downstream *downstream);
+  virtual void on_handler_delete();
  virtual void reset_timeouts();
  bool get_flow_control() const;

--- a/src/shrpx_https_upstream.cc
+++ b/src/shrpx_https_upstream.cc
@@ -57,12 +57,7 @@ HttpsUpstream::HttpsUpstream(ClientHandler *handler)
 }
 HttpsUpstream::~HttpsUpstream()
-{
+{}
-  if(downstream_ &&
-     downstream_->get_response_state() == Downstream::MSG_COMPLETE) {
-    handler_->write_accesslog(downstream_.get());
-  }
-}
 void HttpsUpstream::reset_current_header_length()
 {
@@ -977,4 +972,12 @@ void HttpsUpstream::reset_timeouts()
                                  &get_config()->upstream_write_timeout);
 }
+void HttpsUpstream::on_handler_delete()
+{
+  if(downstream_ &&
+     downstream_->get_response_state() == Downstream::MSG_COMPLETE) {
+    handler_->write_accesslog(downstream_.get());
+  }
+}
 } // namespace shrpx
--- a/src/shrpx_https_upstream.h
+++ b/src/shrpx_https_upstream.h
@@ -67,6 +67,8 @@ public:
                                 const uint8_t *data, size_t len, bool flush);
  virtual int on_downstream_body_complete(Downstream *downstream);
+  virtual void on_handler_delete();
  virtual void reset_timeouts();
  void reset_current_header_length();

--- a/src/shrpx_spdy_upstream.cc
+++ b/src/shrpx_spdy_upstream.cc
@@ -1154,4 +1154,7 @@ void SpdyUpstream::reset_timeouts()
                                  &get_config()->upstream_write_timeout);
 }
+void SpdyUpstream::on_handler_delete()
+{}
 } // namespace shrpx
--- a/src/shrpx_spdy_upstream.h
+++ b/src/shrpx_spdy_upstream.h
@@ -73,6 +73,8 @@ public:
                                 const uint8_t *data, size_t len, bool flush);
  virtual int on_downstream_body_complete(Downstream *downstream);
+  virtual void on_handler_delete();
  virtual void reset_timeouts();
  bool get_flow_control() const;

--- a/src/shrpx_upstream.h
+++ b/src/shrpx_upstream.h
@@ -56,6 +56,8 @@ public:
                                 bool flush) = 0;
  virtual int on_downstream_body_complete(Downstream *downstream) = 0;
+  virtual void on_handler_delete() = 0;
  virtual void pause_read(IOCtrlReason reason) = 0;
  virtual int resume_read(IOCtrlReason reason, Downstream *downstream,
                          size_t consumed) = 0;