tls: use after free in tls_wrap

The root cause is that `req_wrap` is created in `StreamBase::Write`
and passed to `TLSWrap::DoWrite`. In the TLS case the object gets
disposed and replaced with a new instance, but the caller's pointer is
never updated. When the `StreamBase::Write` method returns, it returns
a pointer to the freed object to the caller. In some cases when the
object memory has already been reused an assert is hit in
`WriteWrap::SetAllocatedStorage` because the pointer is non-null.

PR-URL: #18860
Refs: #18676
Reviewed-By: Anna Henningsen <anna@addaleax.net>

Author: kfarnung

src/tls_wrap.cc

@@ -310,10 +310,12 @@ void TLSWrap::EncOut() {
 
 
 void TLSWrap::OnStreamAfterWrite(WriteWrap* req_wrap, int status) {
-  // Report back to the previous listener as well. This is only needed for the
-  // "empty" writes that are passed through directly to the underlying stream.
-  if (req_wrap != nullptr)
-    previous_listener_->OnStreamAfterWrite(req_wrap, status);
+  if (current_empty_write_ != nullptr) {
+    WriteWrap* finishing = current_empty_write_;
+    current_empty_write_ = nullptr;
+    finishing->Done(status);
+    return;
+  }
 
   if (ssl_ == nullptr)
     status = UV_ECANCELED;
@@ -579,18 +581,17 @@ int TLSWrap::DoWrite(WriteWrap* w,
     // However, if there is any data that should be written to the socket,
     // the callback should not be invoked immediately
     if (BIO_pending(enc_out_) == 0) {
-      // We destroy the current WriteWrap* object and create a new one that
-      // matches the underlying stream, rather than the TLSWrap itself.
-
-      // Note: We cannot simply use w->object() because of the "optimized"
-      // way in which we read persistent handles; the JS object itself might be
-      // destroyed by w->Dispose(), and the Local<Object> we have is not a
-      // "real" handle in the sense the V8 is aware of its existence.
-      Local<Object> req_wrap_obj =
-          w->GetAsyncWrap()->persistent().Get(env()->isolate());
-      w->Dispose();
-      w = underlying_stream()->CreateWriteWrap(req_wrap_obj);
-      return stream_->DoWrite(w, bufs, count, send_handle);
+      CHECK_EQ(current_empty_write_, nullptr);
+      current_empty_write_ = w;
+      StreamWriteResult res =
+          underlying_stream()->Write(bufs, count, send_handle);
+      if (!res.async) {
+        env()->SetImmediate([](Environment* env, void* data) {
+          TLSWrap* self = static_cast<TLSWrap*>(data);
+          self->OnStreamAfterWrite(self->current_empty_write_, 0);
+        }, this, object());
+      }
+      return 0;
     }
   }
 

src/tls_wrap.h

@@ -152,6 +152,7 @@ class TLSWrap : public AsyncWrap,
   std::vector<uv_buf_t> pending_cleartext_input_;
   size_t write_size_;
   WriteWrap* current_write_ = nullptr;
+  WriteWrap* current_empty_write_ = nullptr;
   bool write_callback_scheduled_ = false;
   bool started_;
   bool established_;