Skip to content

Commit 547e7ed

Browse files
neildneild
committed
http2: avoid referencing ResponseWrite.Write parameter after returning
When writing data frames, encode the frame on the serve goroutine rather than in writeFrameAsync to avoid referencing stream data (originating from a ResponseWriter.Write call) after the Write has returned. Fixes golang/go#58446 Change-Id: I866a7351c90ef122e506b333151f98a455a64953 Reviewed-on: https://go-review.googlesource.com/c/net/+/467355 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Bryan Mills <[email protected]>
1 parent 39940ad commit 547e7ed

File tree

3 files changed

+100
-4
lines changed

3 files changed

+100
-4
lines changed

http2/frame.go

+10-1
Original file line numberDiff line numberDiff line change
@@ -662,6 +662,15 @@ func (f *Framer) WriteData(streamID uint32, endStream bool, data []byte) error {
662662
// It is the caller's responsibility not to violate the maximum frame size
663663
// and to not call other Write methods concurrently.
664664
func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
665+
if err := f.startWriteDataPadded(streamID, endStream, data, pad); err != nil {
666+
return err
667+
}
668+
return f.endWrite()
669+
}
670+
671+
// startWriteDataPadded is WriteDataPadded, but only writes the frame to the Framer's internal buffer.
672+
// The caller should call endWrite to flush the frame to the underlying writer.
673+
func (f *Framer) startWriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
665674
if !validStreamID(streamID) && !f.AllowIllegalWrites {
666675
return errStreamID
667676
}
@@ -691,7 +700,7 @@ func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []by
691700
}
692701
f.wbuf = append(f.wbuf, data...)
693702
f.wbuf = append(f.wbuf, pad...)
694-
return f.endWrite()
703+
return nil
695704
}
696705

697706
// A SettingsFrame conveys configuration parameters that affect how

http2/server.go

+15-3
Original file line numberDiff line numberDiff line change
@@ -843,8 +843,13 @@ type frameWriteResult struct {
843843
// and then reports when it's done.
844844
// At most one goroutine can be running writeFrameAsync at a time per
845845
// serverConn.
846-
func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
847-
err := wr.write.writeFrame(sc)
846+
func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) {
847+
var err error
848+
if wd == nil {
849+
err = wr.write.writeFrame(sc)
850+
} else {
851+
err = sc.framer.endWrite()
852+
}
848853
sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err}
849854
}
850855

@@ -1251,9 +1256,16 @@ func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
12511256
sc.writingFrameAsync = false
12521257
err := wr.write.writeFrame(sc)
12531258
sc.wroteFrame(frameWriteResult{wr: wr, err: err})
1259+
} else if wd, ok := wr.write.(*writeData); ok {
1260+
// Encode the frame in the serve goroutine, to ensure we don't have
1261+
// any lingering asynchronous references to data passed to Write.
1262+
// See https://go.dev/issue/58446.
1263+
sc.framer.startWriteDataPadded(wd.streamID, wd.endStream, wd.p, nil)
1264+
sc.writingFrameAsync = true
1265+
go sc.writeFrameAsync(wr, wd)
12541266
} else {
12551267
sc.writingFrameAsync = true
1256-
go sc.writeFrameAsync(wr)
1268+
go sc.writeFrameAsync(wr, nil)
12571269
}
12581270
}
12591271

http2/server_test.go

+75
Original file line numberDiff line numberDiff line change
@@ -4631,3 +4631,78 @@ func TestCanonicalHeaderCacheGrowth(t *testing.T) {
46314631
}
46324632
}
46334633
}
4634+
4635+
// TestServerWriteDoesNotRetainBufferAfterStreamClose checks for access to
4636+
// the slice passed to ResponseWriter.Write after Write returns.
4637+
//
4638+
// Terminating the request stream on the client causes Write to return.
4639+
// We should not access the slice after this point.
4640+
func TestServerWriteDoesNotRetainBufferAfterReturn(t *testing.T) {
4641+
donec := make(chan struct{})
4642+
st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {
4643+
defer close(donec)
4644+
buf := make([]byte, 1<<20)
4645+
var i byte
4646+
for {
4647+
i++
4648+
_, err := w.Write(buf)
4649+
for j := range buf {
4650+
buf[j] = byte(i) // trigger race detector
4651+
}
4652+
if err != nil {
4653+
return
4654+
}
4655+
}
4656+
}, optOnlyServer)
4657+
defer st.Close()
4658+
4659+
tr := &Transport{TLSClientConfig: tlsConfigInsecure}
4660+
defer tr.CloseIdleConnections()
4661+
4662+
req, _ := http.NewRequest("GET", st.ts.URL, nil)
4663+
res, err := tr.RoundTrip(req)
4664+
if err != nil {
4665+
t.Fatal(err)
4666+
}
4667+
res.Body.Close()
4668+
<-donec
4669+
}
4670+
4671+
// TestServerWriteDoesNotRetainBufferAfterServerClose checks for access to
4672+
// the slice passed to ResponseWriter.Write after Write returns.
4673+
//
4674+
// Shutting down the Server causes Write to return.
4675+
// We should not access the slice after this point.
4676+
func TestServerWriteDoesNotRetainBufferAfterServerClose(t *testing.T) {
4677+
donec := make(chan struct{}, 1)
4678+
st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {
4679+
donec <- struct{}{}
4680+
defer close(donec)
4681+
buf := make([]byte, 1<<20)
4682+
var i byte
4683+
for {
4684+
i++
4685+
_, err := w.Write(buf)
4686+
for j := range buf {
4687+
buf[j] = byte(i)
4688+
}
4689+
if err != nil {
4690+
return
4691+
}
4692+
}
4693+
}, optOnlyServer)
4694+
defer st.Close()
4695+
4696+
tr := &Transport{TLSClientConfig: tlsConfigInsecure}
4697+
defer tr.CloseIdleConnections()
4698+
4699+
req, _ := http.NewRequest("GET", st.ts.URL, nil)
4700+
res, err := tr.RoundTrip(req)
4701+
if err != nil {
4702+
t.Fatal(err)
4703+
}
4704+
defer res.Body.Close()
4705+
<-donec
4706+
st.ts.Config.Close()
4707+
<-donec
4708+
}

0 commit comments

Comments
 (0)