Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / grpc-grpc / bf19c3332161b26f3942ed7b3a711bdc4dd923bc^1..bf19c3332161b26f3942ed7b3a711bdc4dd923bc / .
commitbf19c3332161b26f3942ed7b3a711bdc4dd923bc[log] [tgz]
authorYash Tibrewal <yashkt@google.com>Thu Feb 08 14:23:11 2018 -0800
committerGitHub <noreply@github.com>Thu Feb 08 14:23:11 2018 -0800
tree8e6bf88c3925e71a993e0da1faa775abc5437b0e
parentdfcb73dbb4c5774b49b4d2e54be7f9d2b0d2276b [diff]
parentba1c61450092dbde06ae4fc003f9e71b91ad332d [diff]
Merge pull request #14379 from yashykt/chttp2_heap_use_after_free

Fix heap use-after-free bug in chttp2 reported by fuzzer
diff --git a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc
index fe05e43..2d92a7e 100644
--- a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc
+++ b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc

@@ -1668,6 +1668,7 @@
   if (error == GRPC_ERROR_NONE) {
     grpc_chttp2_initiate_write(t, GRPC_CHTTP2_INITIATE_WRITE_RETRY_SEND_PING);
   }
+  GRPC_CHTTP2_UNREF_TRANSPORT(t, "retry_initiate_ping_locked");
 }
 
 void grpc_chttp2_ack_ping(grpc_chttp2_transport* t, uint64_t id) {

diff --git a/src/core/ext/transport/chttp2/transport/writing.cc b/src/core/ext/transport/chttp2/transport/writing.cc
index 95358ab..1d6c9b0 100644
--- a/src/core/ext/transport/chttp2/transport/writing.cc
+++ b/src/core/ext/transport/chttp2/transport/writing.cc

@@ -88,6 +88,7 @@
     }
     if (!t->ping_state.is_delayed_ping_timer_set) {
       t->ping_state.is_delayed_ping_timer_set = true;
+      GRPC_CHTTP2_REF_TRANSPORT(t, "retry_initiate_ping_locked");
       grpc_timer_init(&t->ping_state.delayed_ping_timer, next_allowed_ping,
                       &t->retry_initiate_ping_locked);
     }

diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/poc-2d730ebd78b3052e4367ad0d485208dcb205482cbcd6289f17907989b8de1fba b/test/core/end2end/fuzzers/api_fuzzer_corpus/poc-2d730ebd78b3052e4367ad0d485208dcb205482cbcd6289f17907989b8de1fba
new file mode 100644
index 0000000..89e28bb
--- /dev/null
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/poc-2d730ebd78b3052e4367ad0d485208dcb205482cbcd6289f17907989b8de1fba
Binary files differ

diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json
index 0d65cc4..12948c8 100644
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json

@@ -105337,6 +105337,29 @@
   }, 
   {
     "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/poc-2d730ebd78b3052e4367ad0d485208dcb205482cbcd6289f17907989b8de1fba"
+    ], 
+    "ci_platforms": [
+      "linux"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [
+      "tsan"
+    ], 
+    "exclude_iomgrs": [
+      "uv"
+    ], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "mac", 
+      "linux"
+    ], 
+    "uses_polling": false
+  }, 
+  {
+    "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/poc-c726ee220e980ed6ad17809fd9efe2844ee61555ac08e4f88afd8901cc2dd53a"
     ], 
     "ci_platforms": [