Giters

OpenTTD / OpenTTD

OpenTTD is an open source simulation game based upon Transport Tycoon Deluxe

Home Page:https://www.openttd.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug]: Possible race condition in WinHTTP backend

JGRennison opened this issue · comments

commented

Version of OpenTTD

master

Expected result

No possible race conditions, etc.

Actual result

In the WinHTTP backend there are various instances of this pattern:

		this->finished = true;
		this->callback.OnFailure();

where this is a NetworkHTTPRequest.

This appears to be a racy (albeit with a narrow window), because finished is made true before is the callback queue is appended to. If the callback queue was previously empty, it would appear that the NetworkHTTPRequest instance is liable for deletion via NetworkHTTPSocketHandler::HTTPReceive and NetworkHTTPRequest::Receive in the gap after finished is set to true, but before callback.OnFailure is called. It would seem that this could result in the call to callback.OnFailure being a use after free because *this has already been destructed.

Probably finished should be assigned after calling callback.OnFailure (i.e. release semantics), and in NetworkHTTPRequest::Receive it should be read once, first (i.e. acquire semantics).

Steps to reproduce

See http_winhttp.cpp