[sleep] Fix use after free discovered by fuzzer (#30542)

* minimized crash

* [sleep] Fix use after free discovered by fuzzer
pull/30546/head
Craig Tiller 2 years ago committed by GitHub
parent 0c5b6171ad
commit 9cbedfe66f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 32
      test/core/end2end/fuzzers/api_fuzzer_corpus/sleep-crash
  2. 11
      test/core/event_engine/fuzzing_event_engine/fuzzing_event_engine.cc

@ -0,0 +1,32 @@
actions {
create_server {}
}
actions {
create_channel {
target:
"unixpepPthtGK9223372036854775807"
channel_args{key : "grpc.client_idle_timeout_ms" i : 4297} channel_actions {
}
}
}
actions {
create_call {
method {
value:
"w"
}
}
}
actions {
ping {}
}
actions {
request_call {}
}
actions {
queue_batch {
operations {
send_initial_metadata {}
}
}
}

@ -121,8 +121,11 @@ void FuzzingEventEngine::Tick() {
++current_tick_;
// Find newly expired timers.
while (!tasks_by_time_.empty() && tasks_by_time_.begin()->first <= now_) {
tasks_by_id_.erase(tasks_by_time_.begin()->second->id);
to_run.push_back(std::move(tasks_by_time_.begin()->second->closure));
auto& task = *tasks_by_time_.begin()->second;
tasks_by_id_.erase(task.id);
if (task.closure != nullptr) {
to_run.push_back(std::move(task.closure));
}
tasks_by_time_.erase(tasks_by_time_.begin());
}
}
@ -197,10 +200,10 @@ bool FuzzingEventEngine::Cancel(TaskHandle handle) {
if (it == tasks_by_id_.end()) {
return false;
}
if (it->second == nullptr) {
if (it->second->closure == nullptr) {
return false;
}
it->second = nullptr;
it->second->closure = nullptr;
return true;
}

Loading…
Cancel
Save