net: fix use-after-free with v2->v1 reconnection logic #33956

pull Crypt-iQ wants to merge 1 commits into bitcoin:master from Crypt-iQ:11262025/asan_reconnections_fix changing 2 files +6 −2
  1. Crypt-iQ commented at 9:03 pm on November 26, 2025: contributor

    CConnman::Stop() resets semOutbound, yet m_reconnections is not cleared in Stop. Each ReconnectionInfo contains a grant member that points to the memory that semOutbound pointed to and ~CConnman will attempt to access the grant field (memory that was already freed) when destroying m_reconnections. Fix this by calling m_reconnections.clear() in CConnman::Stop() and add appropriate annotations.

    I was able to reproduce the original issue #33615 with the following diff by randomly stopping my node while it was attempting to reconnect (and verified that this patch fixes the issue, at least in my ~40-50 runs):

     0diff --git a/src/net.cpp b/src/net.cpp
 1index ef1c63044a..9c1d161d8b 100644
 2--- a/src/net.cpp
 3+++ b/src/net.cpp
 4@@ -1918,8 +1918,8 @@ void CConnman::DisconnectNodes()
 5     {
 6         LOCK(m_nodes_mutex);
 7 
 8-        const bool network_active{fNetworkActive};
 9-        if (!network_active) {
10+//        const bool network_active{fNetworkActive};
11+//        if (!network_active) {
12             // Disconnect any connected nodes
13             for (CNode* pnode : m_nodes) {
14                 if (!pnode->fDisconnect) {
15@@ -1927,7 +1927,7 @@ void CConnman::DisconnectNodes()
16                     pnode->fDisconnect = true;
17                 }
18             }
19-        }
20+//        }
21 
22         // Disconnect unused nodes
23         std::vector<CNode*> nodes_copy = m_nodes;
24@@ -1941,7 +1941,7 @@ void CConnman::DisconnectNodes()
25                 // Add to reconnection list if appropriate. We don't reconnect right here, because
26                 // the creation of a connection is a blocking operation (up to several seconds),
27                 // and we don't want to hold up the socket handler thread for that long.
28-                if (network_active && pnode->m_transport->ShouldReconnectV1()) {
29+                if (true) {
30                     reconnections_to_add.push_back({
31                         .addr_connect = pnode->addr,
32                         .grant = std::move(pnode->grantOutbound),

    I’m curious to see if others can reproduce as well.

  2. net: fix use-after-free with v2->v1 reconnection logic 
    CConnman::Stop() resets semOutbound, yet m_reconnections is not
cleared in Stop. Each ReconnectionInfo contains a grant member
that points to the memory that semOutbound pointed to and ~CConnman
will attempt to access the grant field (memory that was already
freed) when destroying m_reconnections. Fix this by calling
m_reconnections.clear() in CConnman::Stop() and add appropriate
annotations.
    167df7a98c
  3. DrahtBot added the label P2P on Nov 26, 2025
  4. DrahtBot commented at 9:03 pm on November 26, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/33956.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK dergoegge, darosior, mzumsande

    If your review is incorrectly listed, please copy-paste <!–meta-tag:bot-skip–> into the comment that the bot should ignore.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #32394 (net: make m_nodes_mutex non-recursive by vasild)
    • #32015 (net: replace manual reference counting of CNode with shared_ptr by vasild)
    • #30988 (Split CConnman by vasild)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  5. dergoegge approved
  6. dergoegge commented at 1:50 pm on November 28, 2025: member
    Code review ACK 167df7a98c8514da6979d45e58fcdcbd0733b8fe
  7. darosior approved
  8. darosior commented at 8:26 pm on December 4, 2025: member
    utACK 167df7a98c8514da6979d45e58fcdcbd0733b8fe
  9. mzumsande commented at 8:33 pm on December 4, 2025: contributor

    ACK 167df7a98c8514da6979d45e58fcdcbd0733b8fe

    didn’t test it, but but the explanation of the bug make sense and since all the network threads have been stopped at this point anyway I can’t see a downside to clearing m_reconnections here.

  10. fanquake merged this on Dec 5, 2025
  11. fanquake closed this on Dec 5, 2025
  12. Crypt-iQ deleted the branch on Dec 5, 2025


Crypt-iQ DrahtBot dergoegge darosior mzumsande

Labels
P2P

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-12-19 03:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me