Fixes NullRef exception in IIS in-proc (#22806)

BrennanConroy · web-flow · commit 812f2f81459e · 2020-06-11T10:57:36.000-07:00
diff --git a/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/inprocesshandler.cpp b/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/inprocesshandler.cpp
@@ -112,7 +112,7 @@ IN_PROCESS_HANDLER::NotifyDisconnect()
 
     if (pManagedHttpContext != nullptr)
     {
-        m_pDisconnectHandler(m_pManagedHttpContext);
+        m_pDisconnectHandler(pManagedHttpContext);
     }
 }
 
@@ -139,14 +139,17 @@ IN_PROCESS_HANDLER::SetManagedHttpContext(
     PVOID pManagedHttpContext
 )
 {
+    bool disconnectFired = false;
+
     {
         SRWExclusiveLock lock(m_srwDisconnectLock);
         m_pManagedHttpContext = pManagedHttpContext;
+        disconnectFired = m_disconnectFired;
     }
 
-    if (m_disconnectFired && m_pManagedHttpContext != nullptr)
+    if (disconnectFired && pManagedHttpContext != nullptr)
     {
-        m_pDisconnectHandler(m_pManagedHttpContext);
+        m_pDisconnectHandler(pManagedHttpContext);
     }
 }
 
diff --git a/src/Servers/IIS/IIS/src/Core/IISHttpContext.cs b/src/Servers/IIS/IIS/src/Core/IISHttpContext.cs
@@ -119,69 +119,75 @@ internal unsafe IISHttpContext(
 
         protected void InitializeContext()
         {
-            _thisHandle = GCHandle.Alloc(this);
+            // create a memory barrier between initialize and disconnect to prevent a possible
+            // NullRef with disconnect being called before these fields have been written
+            // disconnect aquires this lock as well
+            lock (_abortLock)
+            {
+                _thisHandle = GCHandle.Alloc(this);
 
-            Method = GetVerb();
+                Method = GetVerb();
 
-            RawTarget = GetRawUrl();
-            // TODO version is slow.
-            HttpVersion = GetVersion();
-            Scheme = SslStatus != SslStatus.Insecure ? Constants.HttpsScheme : Constants.HttpScheme;
-            KnownMethod = VerbId;
-            StatusCode = 200;
+                RawTarget = GetRawUrl();
+                // TODO version is slow.
+                HttpVersion = GetVersion();
+                Scheme = SslStatus != SslStatus.Insecure ? Constants.HttpsScheme : Constants.HttpScheme;
+                KnownMethod = VerbId;
+                StatusCode = 200;
 
-            var originalPath = GetOriginalPath();
+                var originalPath = GetOriginalPath();
 
-            if (KnownMethod == HttpApiTypes.HTTP_VERB.HttpVerbOPTIONS && string.Equals(RawTarget, "*", StringComparison.Ordinal))
-            {
-                PathBase = string.Empty;
-                Path = string.Empty;
-            }
-            else
-            {
-                // Path and pathbase are unescaped by RequestUriBuilder
-                // The UsePathBase middleware will modify the pathbase and path correctly
-                PathBase = string.Empty;
-                Path = originalPath;
-            }
+                if (KnownMethod == HttpApiTypes.HTTP_VERB.HttpVerbOPTIONS && string.Equals(RawTarget, "*", StringComparison.Ordinal))
+                {
+                    PathBase = string.Empty;
+                    Path = string.Empty;
+                }
+                else
+                {
+                    // Path and pathbase are unescaped by RequestUriBuilder
+                    // The UsePathBase middleware will modify the pathbase and path correctly
+                    PathBase = string.Empty;
+                    Path = originalPath;
+                }
 
-            var cookedUrl = GetCookedUrl();
-            QueryString = cookedUrl.GetQueryString() ?? string.Empty;
+                var cookedUrl = GetCookedUrl();
+                QueryString = cookedUrl.GetQueryString() ?? string.Empty;
 
-            RequestHeaders = new RequestHeaders(this);
-            HttpResponseHeaders = new HeaderCollection();
-            ResponseHeaders = HttpResponseHeaders;
+                RequestHeaders = new RequestHeaders(this);
+                HttpResponseHeaders = new HeaderCollection();
+                ResponseHeaders = HttpResponseHeaders;
 
-            if (_options.ForwardWindowsAuthentication)
-            {
-                WindowsUser = GetWindowsPrincipal();
-                if (_options.AutomaticAuthentication)
+                if (_options.ForwardWindowsAuthentication)
                 {
-                    User = WindowsUser;
+                    WindowsUser = GetWindowsPrincipal();
+                    if (_options.AutomaticAuthentication)
+                    {
+                        User = WindowsUser;
+                    }
                 }
-            }
 
-            MaxRequestBodySize = _options.MaxRequestBodySize;
+                MaxRequestBodySize = _options.MaxRequestBodySize;
 
-            ResetFeatureCollection();
+                ResetFeatureCollection();
 
-            if (!_server.IsWebSocketAvailable(_pInProcessHandler))
-            {
-                _currentIHttpUpgradeFeature = null;
-            }
+                if (!_server.IsWebSocketAvailable(_pInProcessHandler))
+                {
+                    _currentIHttpUpgradeFeature = null;
+                }
 
-            _streams = new Streams(this);
+                _streams = new Streams(this);
 
-            (RequestBody, ResponseBody) = _streams.Start();
+                (RequestBody, ResponseBody) = _streams.Start();
 
-            var pipe = new Pipe(
-                new PipeOptions(
-                    _memoryPool,
-                    readerScheduler: PipeScheduler.ThreadPool,
-                    pauseWriterThreshold: PauseWriterThreshold,
-                    resumeWriterThreshold: ResumeWriterTheshold,
-                    minimumSegmentSize: MinAllocBufferSize));
-            _bodyOutput = new OutputProducer(pipe);
+                var pipe = new Pipe(
+                    new PipeOptions(
+                        _memoryPool,
+                        readerScheduler: PipeScheduler.ThreadPool,
+                        pauseWriterThreshold: PauseWriterThreshold,
+                        resumeWriterThreshold: ResumeWriterTheshold,
+                        minimumSegmentSize: MinAllocBufferSize));
+                _bodyOutput = new OutputProducer(pipe);
+            }
 
             NativeMethods.HttpSetManagedContext(_pInProcessHandler, (IntPtr)_thisHandle);
         }
diff --git a/src/Servers/IIS/IIS/src/Core/IISHttpServer.cs b/src/Servers/IIS/IIS/src/Core/IISHttpServer.cs
@@ -170,7 +170,7 @@ private static void OnDisconnect(IntPtr pvManagedHttpContext)
             try
             {
                 context = (IISHttpContext)GCHandle.FromIntPtr(pvManagedHttpContext).Target;
-                context.AbortIO(clientDisconnect: true);
+                context?.AbortIO(clientDisconnect: true);
             }
             catch (Exception ex)
             {
@@ -184,7 +184,7 @@ private static NativeMethods.REQUEST_NOTIFICATION_STATUS OnAsyncCompletion(IntPt
             try
             {
                 context = (IISHttpContext)GCHandle.FromIntPtr(pvManagedHttpContext).Target;
-                context.OnAsyncCompletion(hr, bytes);
+                context?.OnAsyncCompletion(hr, bytes);
                 return NativeMethods.REQUEST_NOTIFICATION_STATUS.RQ_NOTIFICATION_PENDING;
             }
             catch (Exception ex)

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ IN_PROCESS_HANDLER::NotifyDisconnect()`
`112`	`112`
`113`	`113`	`if (pManagedHttpContext != nullptr)`
`114`	`114`	`{`
`115`		`- m_pDisconnectHandler(m_pManagedHttpContext);`
	`115`	`+ m_pDisconnectHandler(pManagedHttpContext);`
`116`	`116`	`}`
`117`	`117`	`}`
`118`	`118`
`@@ -139,14 +139,17 @@ IN_PROCESS_HANDLER::SetManagedHttpContext(`
`139`	`139`	`PVOID pManagedHttpContext`
`140`	`140`	`)`
`141`	`141`	`{`
	`142`	`+ bool disconnectFired = false;`
	`143`	`+`
`142`	`144`	`{`
`143`	`145`	`SRWExclusiveLock lock(m_srwDisconnectLock);`
`144`	`146`	`m_pManagedHttpContext = pManagedHttpContext;`
	`147`	`+ disconnectFired = m_disconnectFired;`
`145`	`148`	`}`
`146`	`149`
`147`		`- if (m_disconnectFired && m_pManagedHttpContext != nullptr)`
	`150`	`+ if (disconnectFired && pManagedHttpContext != nullptr)`
`148`	`151`	`{`
`149`		`- m_pDisconnectHandler(m_pManagedHttpContext);`
	`152`	`+ m_pDisconnectHandler(pManagedHttpContext);`
`150`	`153`	`}`
`151`	`154`	`}`
`152`	`155`
Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,7 @@ private static void OnDisconnect(IntPtr pvManagedHttpContext)`
`170`	`170`	`try`
`171`	`171`	`{`
`172`	`172`	`context = (IISHttpContext)GCHandle.FromIntPtr(pvManagedHttpContext).Target;`
`173`		`- context.AbortIO(clientDisconnect: true);`
	`173`	`+ context?.AbortIO(clientDisconnect: true);`
`174`	`174`	`}`
`175`	`175`	`catch (Exception ex)`
`176`	`176`	`{`
`@@ -184,7 +184,7 @@ private static NativeMethods.REQUEST_NOTIFICATION_STATUS OnAsyncCompletion(IntPt`
`184`	`184`	`try`
`185`	`185`	`{`
`186`	`186`	`context = (IISHttpContext)GCHandle.FromIntPtr(pvManagedHttpContext).Target;`
`187`		`- context.OnAsyncCompletion(hr, bytes);`
	`187`	`+ context?.OnAsyncCompletion(hr, bytes);`
`188`	`188`	`return NativeMethods.REQUEST_NOTIFICATION_STATUS.RQ_NOTIFICATION_PENDING;`
`189`	`189`	`}`
`190`	`190`	`catch (Exception ex)`