From 52c41aa18f78950ef8c3bc280bb827074fadf646 Mon Sep 17 00:00:00 2001 From: piaoyingmin Date: Tue, 30 Jun 2026 14:02:32 +0800 Subject: [PATCH] inspector: fix crash when writing to closed inspector socket ProtocolHandler::WriteRaw() dereferences tcp_ without a null check. When the remote end disconnects, OnEof() resets tcp_ to nullptr, but queued messages from the uv_async callback can still trigger Write() on the same event loop iteration, causing a null pointer dereference crash (EXCEPTION_ACCESS_VIOLATION on Windows). Additionally, ParseWsFrames() can call OnEof() internally (on compressed or error frames), which resets tcp_ mid-loop in OnData(). If the delegate callback triggered by OnWsFrame() then calls Write(), it would also hit the null tcp_ crash. Add null guards in: - WsHandler::OnData: stop parsing loop when tcp_ becomes null - WsHandler::Write: early return before frame encoding - ProtocolHandler::WriteRaw: defensive fallback for all write paths Fixes: https://github.com/nodejs/node/issues/34833 Signed-off-by: piaoyingmin --- src/inspector_socket.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc index 93d819a21e5e6c..52e53373c93adc 100644 --- a/src/inspector_socket.cc +++ b/src/inspector_socket.cc @@ -401,10 +401,11 @@ class WsHandler : public ProtocolHandler { if (processed > 0) { remove_from_beginning(data, processed); } - } while (processed > 0 && !data->empty()); + } while (processed > 0 && !data->empty() && tcp_); } void Write(const std::vector data) override { + if (!tcp_) return; std::vector output = encode_frame_hybi17(data); WriteRaw(output, WriteRequest::Cleanup); } @@ -666,6 +667,7 @@ ProtocolHandler::ProtocolHandler(InspectorSocket* inspector, int ProtocolHandler::WriteRaw(const std::vector& buffer, uv_write_cb write_cb) { + if (!tcp_) return -1; return tcp_->WriteRaw(buffer, write_cb); }