Fund: LibTLS: Potential use-after-free in TLSv12::connect

I noticed this code that seems a bit sketchy:

serenity/Userland/Libraries/LibTLS/Socket.cpp

Lines 82 to 90 in b01fccc

    
           tls_socket->on_connected = [&] { 
        
               loop.quit(0); 
        
           }; 
        
           tls_socket->on_tls_error = [&](auto alert) { 
        
               loop.quit(256 - to_underlying(alert)); 
        
           }; 
        
           auto result = loop.exec(); 
        
           if (result == 0) 
        
               return tls_socket;

as well as in the other overload of the same function:

serenity/Userland/Libraries/LibTLS/Socket.cpp

Lines 102 to 111 in b01fccc

    
           Core::EventLoop loop; 
        
           tls_socket->on_connected = [&] { 
        
               loop.quit(0); 
        
           }; 
        
           tls_socket->on_tls_error = [&](auto alert) { 
        
               loop.quit(256 - to_underlying(alert)); 
        
           }; 
        
           auto result = loop.exec(); 
        
           if (result == 0) 
        
               return tls_socket;

Notice that we return tls_socket, which has tls_socket->on_connected and tls_socket->on_tls_error callback functions set that are capturing a reference to the local variable loop, which becomes invalid after the return statement. This of course assumes that there is any chance that either of these callbacks might be called after the function returns. I do not know if this is the case, but this should probably be fixed.

SerenityOS/serenity

LibTLS: Potential use-after-free in TLSv12::connect

How does funding with Polar work?

Backer

Contributor

Maintainer

	tls_socket->on_connected = [&] {
	loop.quit(0);
	};
	tls_socket->on_tls_error = [&](auto alert) {
	loop.quit(256 - to_underlying(alert));
	};
	auto result = loop.exec();
	if (result == 0)
	return tls_socket;

	Core::EventLoop loop;
	tls_socket->on_connected = [&] {
	loop.quit(0);
	};
	tls_socket->on_tls_error = [&](auto alert) {
	loop.quit(256 - to_underlying(alert));
	};
	auto result = loop.exec();
	if (result == 0)
	return tls_socket;

SerenityOS/serenity

LibTLS: Potential use-after-free in TLSv12::connect

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?