fix: heap-use-after-free in create_notification (ASAN)

bartlomieju · claude · bartlomieju · commit a676dd7dfbab · 2026-03-07T17:44:00.000+01:00
The upstream crdtp Notification class stores `const char* method_` as a
raw pointer without copying. When called from Rust, the CString holding
the method name is dropped before AppendSerialized is called, causing a
use-after-free detected by ASAN.

Replace with OwnedNotification that stores a std::string copy of the
method name, reproducing the same CBOR serialization logic.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/crdtp_binding.cc b/src/crdtp_binding.cc
@@ -1,9 +1,11 @@
 // Copyright 2024 the Deno authors. All rights reserved. MIT license.
 
 #include "support.h"
+#include "v8/third_party/inspector_protocol/crdtp/cbor.h"
 #include "v8/third_party/inspector_protocol/crdtp/dispatch.h"
 #include "v8/third_party/inspector_protocol/crdtp/frontend_channel.h"
 #include "v8/third_party/inspector_protocol/crdtp/json.h"
+#include "v8/third_party/inspector_protocol/crdtp/parser_handler.h"
 
 using namespace support;
 using namespace v8_crdtp;
@@ -259,10 +261,40 @@ Serializable* crdtp__CreateResponse(int call_id, Serializable* params) {
   return CreateResponse(call_id, std::move(params_ptr)).release();
 }
 
+// Owns a copy of the method string, since upstream Notification stores only
+// a raw const char* pointer which leads to use-after-free when the Rust
+// CString is dropped before AppendSerialized is called.
+class OwnedNotification : public Serializable {
+ public:
+  OwnedNotification(const char* method, std::unique_ptr<Serializable> params)
+      : method_(method), params_(std::move(params)) {}
+
+  void AppendSerialized(std::vector<uint8_t>* out) const override {
+    Status status;
+    std::unique_ptr<ParserHandler> encoder = cbor::NewCBOREncoder(out, &status);
+    encoder->HandleMapBegin();
+    encoder->HandleString8(SpanFrom("method"));
+    encoder->HandleString8(SpanFrom(method_));
+    encoder->HandleString8(SpanFrom("params"));
+    if (params_) {
+      params_->AppendSerialized(out);
+    } else {
+      encoder->HandleMapBegin();
+      encoder->HandleMapEnd();
+    }
+    encoder->HandleMapEnd();
+    assert(status.ok());
+  }
+
+ private:
+  std::string method_;
+  std::unique_ptr<Serializable> params_;
+};
+
 Serializable* crdtp__CreateNotification(const char* method,
                                         Serializable* params) {
   std::unique_ptr<Serializable> params_ptr(params);
-  return CreateNotification(method, std::move(params_ptr)).release();
+  return new OwnedNotification(method, std::move(params_ptr));
 }
 
 Serializable* crdtp__CreateErrorNotification(
