Skip to content

Commit

Permalink
fix heap-use-after-free condition when cancelling spawned task, closes
Browse files Browse the repository at this point in the history 
…boostorg#194

The variable "recs" was allocated on a piece of memory whose lifetime
was managed at the level of the coroutine (inside its frame). This led
to access to freed memory if that coroutine (its frame) was deleted.
  • Loading branch information
zkocon authored and zkocon committed Aug 12, 2024
1 parent b74d61e commit fe22515
Showing 1 changed file with 2 additions and 16 deletions.
18 changes: 2 additions & 16 deletions include/boost/cobalt/detail/spawn.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@
#include <boost/cobalt/task.hpp>
#include <boost/asio/dispatch.hpp>

#include <boost/smart_ptr/allocate_unique.hpp>

namespace boost::cobalt
{
template<typename T>
Expand Down Expand Up @@ -40,13 +38,7 @@ struct async_initiate_spawn
asio::get_associated_immediate_executor(h, exec),
asio::append(std::forward<Handler>(h), rec.exception, rec.exception ? T() : *rec.get_result()));

#if !defined(BOOST_COBALT_NO_PMR)
auto dalloc = pmr::polymorphic_allocator<void>{boost::cobalt::this_thread::get_default_resource()};
auto alloc = asio::get_associated_allocator(h, dalloc);
#else
auto alloc = asio::get_associated_allocator(h);
#endif
auto recs = std::allocate_shared<detail::task_receiver<T>>(alloc, std::move(rec));
auto recs = std::make_shared<detail::task_receiver<T>>(std::move(rec));

auto sl = asio::get_associated_cancellation_slot(h);
if (sl.is_connected())
Expand Down Expand Up @@ -102,13 +94,7 @@ struct async_initiate_spawn
asio::get_associated_immediate_executor(h, exec),
asio::append(std::forward<Handler>(h), a.receiver_.exception));


#if !defined(BOOST_COBALT_NO_PMR)
auto alloc = asio::get_associated_allocator(h, pmr::polymorphic_allocator<void>{boost::cobalt::this_thread::get_default_resource()});
#else
auto alloc = asio::get_associated_allocator(h);
#endif
auto recs = std::allocate_shared<detail::task_receiver<void>>(alloc, std::move(a.receiver_));
auto recs = std::make_shared<detail::task_receiver<void>>(std::move(a.receiver_));

if (recs->done)
return asio::dispatch(asio::get_associated_immediate_executor(h, exec),
Expand Down

0 comments on commit fe22515

Please sign in to comment.