artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9779e10) | patch
Fix a crash reported and analyzed by Bertrand PROVOST. When a HTTP
authorbluhm <bluhm@openbsd.org>
Mon, 18 May 2015 16:57:20 +0000 (16:57 +0000)
committerbluhm <bluhm@openbsd.org>
Mon, 18 May 2015 16:57:20 +0000 (16:57 +0000)
commit70d03dad87409ee59c53b3317a3885d5afbca8c5
tree6bca45ebf273a64340bd882aff9f097eeddb4e38tree | snapshot
parent9779e1083eaf0016c5af8941acee0dc760be3ce0commit | diff
Fix a crash reported and analyzed by Bertrand PROVOST.  When a HTTP
client or server writes multiple requests or chunks in a single
transfer, relayd invokes the libevent callback manually for the
next data.  If the callback closes the session, this resulted in
an use after free.
Instead of the more complicated fix suggested by Bertrand PROVOST,
just move the invocation of the callback to the end of the function.
So in case the callback frees any structures, they are not accessed.
OK benno@ reyk@
usr.sbin/relayd/relay.c diff | blob | history
usr.sbin/relayd/relay_http.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim