event/SocketMonitor: don't cancel if OnSocketReady() returns false

Expect OnSocketReady() to cancel events. If it returns false, the SocketMonitor may be destructed already. This fixes a use-after-free bug in the "httpd" output plugin.
2019-04-03 23:23:56 +02:00 · 2019-04-03 23:23:56 +02:00 · f6941f9a44
parent d2eb4df8fc
commit f6941f9a44
4 changed files with 8 additions and 11 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 ver 0.21.8 (not yet released)
 * output
  - httpd: add missing mutex lock
+  - httpd: fix use-after-free bug
 * fix Bonjour bug
 * fix build failure with GCC 9

--- a/src/db/plugins/ProxyDatabasePlugin.cxx
+++ b/src/db/plugins/ProxyDatabasePlugin.cxx
@ -568,7 +568,8 @@ ProxyDatabase::OnSocketReady(gcc_unused unsigned flags) noexcept
 	if (!is_idle) {
 		// TODO: can this happen?
 		IdleMonitor::Schedule();
-		return false;
+		SocketMonitor::Cancel();
+		return true;
 	}

 	unsigned idle = (unsigned)mpd_recv_idle(connection, false);
@ -586,7 +587,8 @@ ProxyDatabase::OnSocketReady(gcc_unused unsigned flags) noexcept
 	idle_received |= idle;
 	is_idle = false;
 	IdleMonitor::Schedule();
-	return false;
+	SocketMonitor::Cancel();
+	return true;
 }

 void
--- a/src/event/BufferedSocket.cxx
+++ b/src/event/BufferedSocket.cxx
@ -110,15 +110,9 @@ BufferedSocket::OnSocketReady(unsigned flags) noexcept
 	if (flags & READ) {
 		assert(!input.IsFull());

-		if (!ReadToBuffer())
+		if (!ReadToBuffer() || !ResumeInput())
 			return false;

-		if (!ResumeInput())
-			/* we must return "true" here or
-			   SocketMonitor::Dispatch() will call
-			   Cancel() on a freed object */
-			return true;
-
 		if (!input.IsFull())
 			ScheduleRead();
 	}
--- a/src/event/SocketMonitor.cxx
+++ b/src/event/SocketMonitor.cxx
@ -33,8 +33,8 @@ SocketMonitor::Dispatch(unsigned flags) noexcept
 {
 	flags &= GetScheduledFlags();

-	if (flags != 0 && !OnSocketReady(flags) && IsDefined())
-		Cancel();
+	if (flags != 0)
+		OnSocketReady(flags);
 }

 SocketMonitor::~SocketMonitor() noexcept