scaled range timer manager: potential use-after-free when disabling timer during another timer's callback

[chradcliffe]

Description:
During the triggering of a callback for a ScaledRangeTimerManagerImpl timer, if another timer in the same queue is disabled such that the queue becomes empty, the queue will be deleted. This will result in a use-after-free error in the loop inside ScaledRangeTimerManagerImpl::onQueueTimerFired when checking !timers.empty().

This issue does not seem to be possible in mainline Envoy, since there are very few places that the scaled range timers are currently used; however, our internal modifications of Envoy have hit this issue and it is reproducible in a unit test.

Repro steps:
See chradcliffe@6666db7 for a minimal unit test that reproduces the issue when run under ASAN.

[chradcliffe]

cc @akonradi

[akonradi]

Nice catch, and thanks for the reproducer. I'll start working on a fix unless you've got one, @chradcliffe?

[chradcliffe]

I can create a PR -- I think it's a relatively simple fix.

[akonradi]

/cc @antoniovicente

[antoniovicente]

I would prefer to keep this issue open even after #14799 is merged in. We should do some followups to provide further defense in depth against this class of bugs.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[akonradi]

@antoniovicente what kind of follow-ups?