Fix use-after-free crash when creating custom user messages#1298
Merged
dvander merged 1 commit intoalliedmodders:masterfrom Jun 23, 2020
Merged
Fix use-after-free crash when creating custom user messages#1298dvander merged 1 commit intoalliedmodders:masterfrom
dvander merged 1 commit intoalliedmodders:masterfrom
Conversation
When creating our own "owned and local" protobuf message in `StartProtobufMessage`, `m_FakeEngineBuffer` is used to track that message. In `EndMessage` the message is optionally converted to a "private" one with the right abi on osx and passed to the engine's `SendUserMessage`. On linux and windows the same message as in the `m_FakeEngineBuffer` is passed though without conversion. `engine->SendUserMessage` has a vtable hook which sets `m_FakeEngineBuffer` to the passed argument. `m_FakeEngineBuffer` frees the message it previously held, since it's "owned" from `StartProtobufMessage`, but that's the same one that's passed in as argument so a use-after-free in the engine happens when the now-freed message pointer is forwarded to the real `SendUserMessage` in the engine. The message created in `StartProtobufMessage` wasn't free'd at all when hooks are blocked too. This fix moves the message buffer into a local variable which is destroyed at the end of the function. Fixes alliedmodders#1286 and alliedmodders#1296
dvander
approved these changes
Jun 23, 2020
Headline
approved these changes
Jun 23, 2020
Member
Headline
left a comment
Headline
left a comment
There was a problem hiding this comment.
Thanks PM! You’re awesome ❤️
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When creating our own "owned and local" protobuf message in
StartProtobufMessage,m_FakeEngineBufferis used to track that message. InEndMessagethe message is optionally converted to a "private" one with the right abi on osx and passed to the engine'sSendUserMessage. On linux and windows the same message as in them_FakeEngineBufferis passed though without conversion.engine->SendUserMessagehas a vtable hook which setsm_FakeEngineBufferto the passed argument.m_FakeEngineBufferfrees the message it previously held, since it's "owned" fromStartProtobufMessage, but that's the same one that's passed in as argument so a use-after-free in the engine happens when the now-freed message pointer is forwarded to the realSendUserMessagein the engine.The message created in
StartProtobufMessagewasn't free'd at all when hooks are blocked too. This fix moves the message buffer into a local variable which is destroyed at the end of the function.Fixes #1286 and #1296