Skip to content

Commit 7d388c5

Browse files
fl4viafl4via
authored
Merge pull request #1557 from fl4via/UNDERTOW-2336
[UNDERTOW-2336] CVE-2024-1635 At WriteTimeoutStreamSinkConduit, add a…
2 parents b422fdf + e3bcd5b commit 7d388c5

File tree

1 file changed

+61
-21
lines changed

1 file changed

+61
-21
lines changed

core/src/main/java/io/undertow/conduits/WriteTimeoutStreamSinkConduit.java

Lines changed: 61 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,8 @@
2222
import io.undertow.UndertowOptions;
2323
import io.undertow.server.OpenListener;
2424
import io.undertow.util.WorkerUtils;
25-
2625
import org.xnio.Buffers;
26+
import org.xnio.ChannelListener;
2727
import org.xnio.ChannelListeners;
2828
import org.xnio.IoUtils;
2929
import org.xnio.Options;
@@ -47,7 +47,7 @@
4747
*/
4848
public final class WriteTimeoutStreamSinkConduit extends AbstractStreamSinkConduit<StreamSinkConduit> {
4949

50-
private XnioExecutor.Key handle;
50+
private volatile XnioExecutor.Key handle;
5151
private final StreamConnection connection;
5252
private volatile long expireTime = -1;
5353
private final OpenListener openListener;
@@ -82,6 +82,16 @@ public WriteTimeoutStreamSinkConduit(final StreamSinkConduit delegate, StreamCon
8282
super(delegate);
8383
this.connection = connection;
8484
this.openListener = openListener;
85+
this.connection.getCloseSetter().set((ChannelListener<StreamConnection>) channel -> {
86+
if (handle != null) {
87+
synchronized (WriteTimeoutStreamSinkConduit.this) {
88+
if (handle != null) {
89+
handle.remove();
90+
handle = null;
91+
}
92+
}
93+
}
94+
});
8595
}
8696

8797
private void handleWriteTimeout(final long ret) throws IOException {
@@ -124,10 +134,14 @@ public long write(final ByteBuffer[] srcs, final int offset, final int length) t
124134
public int writeFinal(ByteBuffer src) throws IOException {
125135
int ret = super.writeFinal(src);
126136
handleWriteTimeout(ret);
127-
if(!src.hasRemaining()) {
128-
if(handle != null) {
129-
handle.remove();
130-
handle = null;
137+
if (!src.hasRemaining()) {
138+
if (handle != null) {
139+
synchronized (this) {
140+
if (handle != null) {
141+
handle.remove();
142+
handle = null;
143+
}
144+
}
131145
}
132146
}
133147
return ret;
@@ -137,10 +151,14 @@ public int writeFinal(ByteBuffer src) throws IOException {
137151
public long writeFinal(ByteBuffer[] srcs, int offset, int length) throws IOException {
138152
long ret = super.writeFinal(srcs, offset, length);
139153
handleWriteTimeout(ret);
140-
if(!Buffers.hasRemaining(srcs)) {
141-
if(handle != null) {
142-
handle.remove();
143-
handle = null;
154+
if (!Buffers.hasRemaining(srcs)) {
155+
if (handle != null) {
156+
synchronized (this) {
157+
if (handle != null) {
158+
handle.remove();
159+
handle = null;
160+
}
161+
}
144162
}
145163
}
146164
return ret;
@@ -200,19 +218,33 @@ private Integer getTimeout() {
200218

201219
@Override
202220
public void terminateWrites() throws IOException {
203-
super.terminateWrites();
204-
if(handle != null) {
205-
handle.remove();
206-
handle = null;
221+
try {
222+
super.terminateWrites();
223+
} finally {
224+
if(handle != null) {
225+
synchronized (this) {
226+
if (this.handle != null) {
227+
handle.remove();
228+
handle = null;
229+
}
230+
}
231+
}
207232
}
208233
}
209234

210235
@Override
211236
public void truncateWrites() throws IOException {
212-
super.truncateWrites();
213-
if(handle != null) {
214-
handle.remove();
215-
handle = null;
237+
try {
238+
super.truncateWrites();
239+
} finally {
240+
if (handle != null) {
241+
synchronized (this) {
242+
if (this.handle != null) {
243+
handle.remove();
244+
handle = null;
245+
}
246+
}
247+
}
216248
}
217249
}
218250

@@ -233,8 +265,12 @@ public void suspendWrites() {
233265

234266
XnioExecutor.Key handle = this.handle;
235267
if(handle != null) {
236-
handle.remove();
237-
this.handle = null;
268+
synchronized (this) {
269+
if (this.handle != null) {
270+
handle.remove();
271+
this.handle = null;
272+
}
273+
}
238274
}
239275
}
240276

@@ -253,7 +289,11 @@ private void handleResumeTimeout() {
253289
expireTime = currentTime + timeout;
254290
XnioExecutor.Key key = handle;
255291
if (key == null) {
256-
handle = connection.getIoThread().executeAfter(timeoutCommand, timeout, TimeUnit.MILLISECONDS);
292+
synchronized (this) {
293+
if (handle == null) {
294+
handle = connection.getIoThread().executeAfter(timeoutCommand, timeout, TimeUnit.MILLISECONDS);
295+
}
296+
}
257297
}
258298
}
259299
}

0 commit comments

Comments
 (0)