fix: resolve use-after-free in RawClientImpl config access#15
Merged
johnlanni merged 1 commit intohigress-group:envoy-1.27from Nov 13, 2025
Merged
Conversation
Fixed a critical use-after-free bug where RawClientImpl would crash when accessing config_.disableOutlierEvents() after the config object was destroyed. Root Cause: - RawClientImpl held a const Config& reference without reference counting - When AsyncClientImpl::initialize() created a new config_ shared_ptr, the old config object was destroyed - RawClientImpl continued processing async network data and accessed the destroyed config reference, causing a crash Solution: Changed RawClientImpl to hold ConfigSharedPtr instead of const Config&, ensuring proper lifetime management through reference counting. Changes: - Modified RawClientFactory::create() to accept ConfigSharedPtr - Updated RawClientImpl to store ConfigSharedPtr instead of reference - Changed all config_.method() calls to config_->method() - Updated AsyncClientImpl to pass config_ directly (already shared_ptr) - Fixed unit tests to use ConfigSharedPtr Test Plan: - bazel build //source/exe:envoy-static - PASS - bazel test //test/extensions/filters/network/common/redis:all - PASS (3/3) - bazel test //test/extensions/filters/network/common/redis:client_impl_test - PASS Change-Id: I0c16f7930714eeee4859238ef46e620948fea9e2 Co-developed-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed a critical use-after-free bug where RawClientImpl would crash when accessing config_.disableOutlierEvents() after the config object was destroyed.
Root Cause:
Solution:
Changed RawClientImpl to hold ConfigSharedPtr instead of const Config&, ensuring proper lifetime management through reference counting.
Changes:
Test Plan:
Co-developed-by: Claude noreply@anthropic.com
Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]
Note
Switch RawClient to hold and receive ConfigSharedPtr, updating factory, impl, callers, and tests to avoid lifetime issues.
const Config&withConfigSharedPtracrossRawClientFactory::create,RawClientImpl::{create,ctor}and memberconfig_.config_.method()toconfig_->method().config_directly toclient_factory_.create(...)inAsyncClientImpl::threadLocalActiveClient.ConfigSharedPtrand match new interfaces.Written by Cursor Bugbot for commit 9079b87. This will update automatically on new commits. Configure here.