From d759ae5ecfcc6f1069decdb2511ec32bf12a1663 Mon Sep 17 00:00:00 2001 From: Oliver Kurth Date: Wed, 10 Apr 2019 14:14:53 -0700 Subject: [PATCH] Asyncsocket in low latency send mode may write into freed memory Blast service encounters access violation exception during scale tests in AsyncTCPSocketSend() at bora\lib\asyncsocket\asyncsocket.c. Root cause is asock refcount is not incremented before the inline invocation of AsyncTCPSocketSendCallback() in the low latency send mode and asock is accessed right after this invocation to decrement inLowLatencySendCb counter. AsyncTCPSocketSendCallback() on error would invoke error handler which in turn could close the asock leading to freeing of asock. Issue wouldn't happen if AsyncWebSocket impl guarded all of its transport->send(transport) calls with AsyncSocketAddRef(transport) and AsyncSocketRelease(transport) but isn't the case currently. Fix is to add and release asock reference around the inline invocation of AsyncTCPSocketSendCallback(). --- open-vm-tools/lib/asyncsocket/asyncsocket.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/open-vm-tools/lib/asyncsocket/asyncsocket.c b/open-vm-tools/lib/asyncsocket/asyncsocket.c index 855b86b49..49524396a 100644 --- a/open-vm-tools/lib/asyncsocket/asyncsocket.c +++ b/open-vm-tools/lib/asyncsocket/asyncsocket.c @@ -3054,10 +3054,16 @@ AsyncTCPSocketSend(AsyncSocket *base, // IN * consumers of asyncsocket are not expecting the completion * callback to be invoked prior to the call to * AsyncTCPSocket_Send() returning. + * + * Add and release asock reference around the send callback + * since asock may be closed by a callback invoked during + * the send workflow. */ + AsyncTCPSocketAddRef(asock); asock->inLowLatencySendCb++; asock->internalSendFn((void *)asock); asock->inLowLatencySendCb--; + AsyncTCPSocketRelease(asock); } else { #ifdef _WIN32 /* -- 2.47.3