[Bug]: Possible race condition in WinHTTP backend #12563
Labels
bug
Something isn't working
Comments
JGRennison
added a commit
to JGRennison/Upstream-OpenTTD
that referenced
this issue
May 11, 2024
rubidium42
pushed a commit
that referenced
this issue
May 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version of OpenTTD
master
Expected result
No possible race conditions, etc.
Actual result
In the WinHTTP backend there are various instances of this pattern:
where
thisis a NetworkHTTPRequest.This appears to be a racy (albeit with a narrow window), because finished is made true before is the callback queue is appended to. If the callback queue was previously empty, it would appear that the NetworkHTTPRequest instance is liable for deletion via
NetworkHTTPSocketHandler::HTTPReceiveandNetworkHTTPRequest::Receivein the gap after finished is set to true, but before callback.OnFailure is called. It would seem that this could result in the call tocallback.OnFailurebeing a use after free because*thishas already been destructed.Probably
finishedshould be assigned after callingcallback.OnFailure(i.e. release semantics), and inNetworkHTTPRequest::Receiveit should be read once, first (i.e. acquire semantics).Steps to reproduce
See http_winhttp.cpp
The text was updated successfully, but these errors were encountered: