Commit 028ea416 authored by Tao Bao's avatar Tao Bao
Browse files

MultiRangeHttpFetcher::ReceivedBytes should signal the caller correctly. 

HttpFetcherDelegate::ReceivedBytes requires a delegate to return false
to signal the caller to terminate. However, the overload in
MultiRangeHttpFetcher::ReceivedBytes missed that and wrongly returned
true instead.

As a result, we observed the following crash while running an ASAN
build.

FileFetcher::OnReadDoneCallback()
  |
  | called its delegate of MultiRangeHttpFetcher
  |
  -- MultiRangeHttpFetcher::ReceivedBytes()
      |
      | requested fetchers to terminate
      |
      -- fetcher->TerminateTransfer()
          |
          |-- MultiRangeHttpFetcher::TerminateTransfer()
                |
                -- FileFetcher::TerminateTransfer()
                     |
                     -- MultiRangeHttpFetcher::TransferTerminated()
                          |
                          |-- DownloadAction::TransferTerminated()
                                |
                                |-- ActionProcessor::ActionComplete()
                                |
                                | DownloadAction / MultiRangeHttpFetcher /
                                | FileFetcher all destroyed
      |
      | (but it didn't signal the caller to terminate)
  |
  | FileFetcher proceeded to call FileFetcher::ScheduleRead() that accessed
  | already freed memory

While fixing the above issue, a separate bug in
LibcurlHttpFetcher::LibcurlWrite was uncovered, where in_write_callback_
wasn't properly reset.

Bug: 120577143
Test: Build and flash an ASAN build on taimen. Applying a payload with
      file:// no longer crashes with tag-mismatch.
Test: Run update_engine_unittests.
Change-Id: I66c862ae40accbfaddc41fb8590b152c2169eea6
parent fcfbda2c
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment