From 3069fc5eb8f8cde9187fad84d84ed507a769dc47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Vo=C3=9F?= Date: Wed, 27 Sep 2017 09:43:14 +0200 Subject: [PATCH] Increase reference count on state used in tcp connect. The state is used both in the callback for the actual connect as well as in the additional timeout that is setup for the operation. Both code paths decrease the reference count and if they happen to be queued at the same time, memory is corrupted. Subsequent behavior is undefined and segfaults can be observed as a result. Fixes #12608 --- src/core/lib/iomgr/tcp_client_uv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/lib/iomgr/tcp_client_uv.c b/src/core/lib/iomgr/tcp_client_uv.c index 786c456b735..f2b23aae2e6 100644 --- a/src/core/lib/iomgr/tcp_client_uv.c +++ b/src/core/lib/iomgr/tcp_client_uv.c @@ -145,7 +145,7 @@ static void tcp_client_connect_impl(grpc_exec_ctx *exec_ctx, connect->resource_quota = resource_quota; uv_tcp_init(uv_default_loop(), connect->tcp_handle); connect->connect_req.data = connect; - connect->refs = 1; + connect->refs = 2; // One for the connect operation, one for the timer. if (GRPC_TRACER_ON(grpc_tcp_trace)) { gpr_log(GPR_DEBUG, "CLIENT_CONNECT: %s: asynchronously connecting",