Hello!
Find attached two patches, which each fix a use-after-free bug.
I've also attached a crashing html document for each, but please be
aware that these reproducer documents link urls from external web
servers.
The reproducers crash reliably on my x86_64 Void Linux laptop, but
I've not tested them elsewhere. I've also attached a crash log with
asan reporting of each.
Thank you
-Magnus L
p.s. I've also opened github PR 449 with these same changes, but
figured I should send the patches via email as well-- if only for
practice :)
paths: Cannot open file '/home/magnus/.dillo/keysrc': No such file or directory
paths: Cannot open file '/usr/local/etc/dillo/keysrc': No such file or directory
paths: Using internal defaults...
paths: Cannot open file '/home/magnus/.dillo/domainrc': No such file or
directory
paths: Cannot open file '/usr/local/etc/dillo/domainrc': No such file or
directory
paths: Using internal defaults...
dillo_dns_init: Here we go! (threaded)
TLS library: OpenSSL 3.5.4 30 Sep 2025
Disabling cookies.
paths: Cannot open file '/home/magnus/.dillo/hsts_preload': No such file or
directory
paths: Cannot open file '/usr/local/etc/dillo/hsts_preload': No such file or
directory
paths: Using internal defaults...
Nav_open_url: new url='file:/home/magnus/crash-dillo/tls_openssl_uaf.html'
NumPendingStyleSheets=1
Dns_server [1]: 142.251.45.142 is 142.251.45.142
Dns_server [0]: detectportal.firefox.com is 34.107.221.82 2600:1901:0:38d7::
142.251.45.142: TLSv1.3, cipher TLS_AES_256_GCM_SHA384
sha256 2048-bit RSA: /OU=No SNI provided; please fix your
client./CN=invalid2.invalid
root: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
>>>> a_Nav_repush <<<<
Nav_open_url: new url='file:/home/magnus/crash-dillo/tls_openssl_uaf.html'
SSL_shutdown() failed with error:FFFFFFFF80000009:system library::Bad file
descriptor for url: https://142.251.45.142/
a_Nav_expect_done: repush!
142.251.45.142: TLSv1.3, cipher TLS_AES_256_GCM_SHA384
sha256 2048-bit RSA: /OU=No SNI provided; please fix your
client./CN=invalid2.invalid
root: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fd 6 is done and failed
Connection disappeared. Too long with a popup popped up?
=================================================================
==22123==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030002dc209
at pc 0x56105f8309cd bp 0x7ffe64ac4540 sp 0x7ffe64ac4530
WRITE of size 1 at 0x5030002dc209 thread T0
#0 0x56105f8309cc in Tls_connect
/home/magnus/dillo/src/IO/tls_openssl.c:1233
#1 0x56105f8309fa in Tls_connect_cb
/home/magnus/dillo/src/IO/tls_openssl.c:1238
#2 0x7f815a5e2989 (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#3 0x7f815a5820b5 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x420b5)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#4 0x7f815a58219c in Fl::wait() (/usr/lib64/libfltk.so.1.3+0x4219c)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#5 0x56105f740f2b in main /home/magnus/dillo/src/dillo.cc:621
#6 0x7f8159d52bfb in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f8159d52cb4 in __libc_start_main_impl ../csu/libc-start.c:360
#8 0x56105f73def0 in _start ../sysdeps/x86_64/start.S:115
0x5030002dc209 is located 25 bytes inside of 32-byte region
[0x5030002dc1f0,0x5030002dc210)
freed by thread T0 here:
#0 0x7f815aef8818 (/usr/lib64/libasan.so.8+0xf8818) (BuildId:
4a8505bee5ce42b81c4c9e1235c2851911c68054)
#1 0x56105f81c3ac in dFree (/home/magnus/dillo/src/dillo+0x2113ac)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#2 0x56105f82fd9e in Tls_close_by_key
/home/magnus/dillo/src/IO/tls_openssl.c:1101
#3 0x56105f83139d in a_Tls_openssl_close_by_fd
/home/magnus/dillo/src/IO/tls_openssl.c:1374
#4 0x56105f82b8d4 in a_Tls_close_by_fd /home/magnus/dillo/src/IO/tls.c:162
#5 0x56105f825981 in Http_socket_free /home/magnus/dillo/src/IO/http.c:318
#6 0x56105f829ee2 in a_Http_ccc /home/magnus/dillo/src/IO/http.c:920
#7 0x56105f77358d in a_Chain_bcb (/home/magnus/dillo/src/dillo+0x16858d)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#8 0x56105f78cbf7 in a_Capi_ccc (/home/magnus/dillo/src/dillo+0x181bf7)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#9 0x56105f78a6ea in a_Capi_conn_abort_by_url
(/home/magnus/dillo/src/dillo+0x17f6ea) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#10 0x56105f78c8bb in a_Capi_stop_client
(/home/magnus/dillo/src/dillo+0x1818bb) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#11 0x56105f758cb7 in a_Bw_stop_clients
(/home/magnus/dillo/src/dillo+0x14dcb7) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#12 0x56105f778835 in Nav_open_url (/home/magnus/dillo/src/dillo+0x16d835)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#13 0x56105f7792b9 in Nav_repush (/home/magnus/dillo/src/dillo+0x16e2b9)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#14 0x56105f7792e0 in Nav_repush_callback
(/home/magnus/dillo/src/dillo+0x16e2e0) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#15 0x7f815a581fe3 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x41fe3)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#16 0x56105f82e4a8 in Tls_check_cert_hostname
/home/magnus/dillo/src/IO/tls_openssl.c:725
#17 0x56105f82eca9 in Tls_examine_certificate
/home/magnus/dillo/src/IO/tls_openssl.c:864
#18 0x56105f830821 in Tls_connect
/home/magnus/dillo/src/IO/tls_openssl.c:1206
#19 0x56105f8309fa in Tls_connect_cb
/home/magnus/dillo/src/IO/tls_openssl.c:1238
#20 0x7f815a5e2989 (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
previously allocated by thread T0 here:
#0 0x7f815aef9cd7 in malloc (/usr/lib64/libasan.so.8+0xf9cd7) (BuildId:
4a8505bee5ce42b81c4c9e1235c2851911c68054)
#1 0x56105f81c2fa in dMalloc (/home/magnus/dillo/src/dillo+0x2112fa)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#2 0x56105f81c375 in dMalloc0 (/home/magnus/dillo/src/dillo+0x211375)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#3 0x56105f82bd8e in Tls_conn_new
/home/magnus/dillo/src/IO/tls_openssl.c:165
#4 0x56105f830ce2 in a_Tls_openssl_connect
/home/magnus/dillo/src/IO/tls_openssl.c:1286
#5 0x56105f82b8bc in a_Tls_connect /home/magnus/dillo/src/IO/tls.c:149
#6 0x56105f826eb1 in Http_connect_tls /home/magnus/dillo/src/IO/http.c:530
#7 0x56105f827423 in Http_connect_socket_cb
/home/magnus/dillo/src/IO/http.c:564
#8 0x7f815a5e2989 (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/magnus/dillo/src/IO/tls_openssl.c:1233 in Tls_connect
Shadow bytes around the buggy address:
0x5030002dbf80: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x5030002dc000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x5030002dc080: fd fd fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
0x5030002dc100: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 fa
0x5030002dc180: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
=>0x5030002dc200: fd[fd]fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x5030002dc280: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x5030002dc300: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x5030002dc380: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x5030002dc400: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x5030002dc480: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22123==ABORTING
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
paths: Cannot open file '/home/magnus/.dillo/keysrc': No such file or directory
paths: Cannot open file '/usr/local/etc/dillo/keysrc': No such file or directory
paths: Using internal defaults...
paths: Cannot open file '/home/magnus/.dillo/domainrc': No such file or
directory
paths: Cannot open file '/usr/local/etc/dillo/domainrc': No such file or
directory
paths: Using internal defaults...
dillo_dns_init: Here we go! (threaded)
TLS library: OpenSSL 3.5.4 30 Sep 2025
Disabling cookies.
paths: Cannot open file '/home/magnus/.dillo/hsts_preload': No such file or
directory
paths: Cannot open file '/usr/local/etc/dillo/hsts_preload': No such file or
directory
paths: Using internal defaults...
Nav_open_url: new url='file:/home/magnus/crash-dillo/socketdata-uaf.html'
NumPendingStyleSheets=1
Dns_server [0]: detectportal.firefox.com is 34.107.221.82 2600:1901:0:38d7::
Dns_server [1]: ash-speed.hetzner.com is 5.161.7.195 2a01:4ff:ef::fa57:1
>>>> a_Nav_repush <<<<
Nav_open_url: new url='file:/home/magnus/crash-dillo/socketdata-uaf.html'
a_Nav_expect_done: repush!
=================================================================
==21070==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700004cb54
at pc 0x55a615b33714 bp 0x7ffe7f1baaf0 sp 0x7ffe7f1baae0
READ of size 4 at 0x50700004cb54 thread T0
#0 0x55a615b33713 in Http_socket_free /home/magnus/dillo/src/IO/http.c:303
#1 0x55a615b37ee2 in a_Http_ccc /home/magnus/dillo/src/IO/http.c:920
#2 0x55a615a8158d in a_Chain_bcb (/home/magnus/dillo/src/dillo+0x16858d)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#3 0x55a615a9abf7 in a_Capi_ccc (/home/magnus/dillo/src/dillo+0x181bf7)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#4 0x55a615a986ea in a_Capi_conn_abort_by_url
(/home/magnus/dillo/src/dillo+0x17f6ea) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#5 0x55a615a9a8bb in a_Capi_stop_client
(/home/magnus/dillo/src/dillo+0x1818bb) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#6 0x55a615a66cb7 in a_Bw_stop_clients
(/home/magnus/dillo/src/dillo+0x14dcb7) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#7 0x55a615a6028d in a_UIcmd_close_bw /home/magnus/dillo/src/uicmd.cc:694
#8 0x55a615a5d345 in CustTabs::handle(int)
/home/magnus/dillo/src/uicmd.cc:248
#9 0x7f4eb2f6110b in Fl_Group::handle(int)
(/usr/lib64/libfltk.so.1.3+0x5910b) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#10 0x7f4eb2f48832 (/usr/lib64/libfltk.so.1.3+0x40832) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#11 0x7f4eb2f4a95c in Fl::handle_(int, Fl_Window*)
(/usr/lib64/libfltk.so.1.3+0x4295c) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#12 0x7f4eb2f4a86b in Fl::handle_(int, Fl_Window*)
(/usr/lib64/libfltk.so.1.3+0x4286b) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#13 0x7f4eb2fa90a2 in fl_handle(_XEvent const&)
(/usr/lib64/libfltk.so.1.3+0xa10a2) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#14 0x7f4eb2faa631 (/usr/lib64/libfltk.so.1.3+0xa2631) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#15 0x7f4eb2faa989 (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId:
f2ecde5004360c1836d560b4542938b912d24c33)
#16 0x7f4eb2f4a0b5 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x420b5)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#17 0x7f4eb2f4a19c in Fl::wait() (/usr/lib64/libfltk.so.1.3+0x4219c)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#18 0x55a615a4ef2b in main /home/magnus/dillo/src/dillo.cc:621
#19 0x7f4eb2752bfb in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#20 0x7f4eb2752cb4 in __libc_start_main_impl ../csu/libc-start.c:360
#21 0x55a615a4bef0 in _start ../sysdeps/x86_64/start.S:115
0x50700004cb54 is located 4 bytes inside of 72-byte region
[0x50700004cb50,0x50700004cb98)
freed by thread T0 here:
#0 0x7f4eb38f8818 (/usr/lib64/libasan.so.8+0xf8818) (BuildId:
4a8505bee5ce42b81c4c9e1235c2851911c68054)
#1 0x55a615b2a3ac in dFree (/home/magnus/dillo/src/dillo+0x2113ac)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#2 0x55a615b3954c in Http_server_remove
/home/magnus/dillo/src/IO/http.c:1095
#3 0x55a615b33693 in Http_connect_queued_sockets
/home/magnus/dillo/src/IO/http.c:289
#4 0x55a615b3700c in Http_dns_cb /home/magnus/dillo/src/IO/http.c:764
#5 0x55a615aef560 in a_Dns_resolve (/home/magnus/dillo/src/dillo+0x1d6560)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#6 0x55a615b37673 in Http_get /home/magnus/dillo/src/IO/http.c:817
#7 0x55a615b37ea7 in a_Http_ccc /home/magnus/dillo/src/IO/http.c:911
#8 0x55a615a8158d in a_Chain_bcb (/home/magnus/dillo/src/dillo+0x16858d)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#9 0x55a615a9aa79 in a_Capi_ccc (/home/magnus/dillo/src/dillo+0x181a79)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#10 0x55a615a9a3a4 in a_Capi_open_url
(/home/magnus/dillo/src/dillo+0x1813a4) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#11 0x55a615aca95a in Html_load_image /home/magnus/dillo/src/html.cc:2213
#12 0x55a615aca7f4 in a_Html_image_new(DilloHtml*, char const*, int)
/home/magnus/dillo/src/html.cc:2186
#13 0x55a615acb080 in Html_tag_content_img
/home/magnus/dillo/src/html.cc:2293
#14 0x55a615ad5e66 in Html_process_tag /home/magnus/dillo/src/html.cc:4132
#15 0x55a615ad81b4 in Html_write_raw /home/magnus/dillo/src/html.cc:4438
#16 0x55a615abf944 in DilloHtml::write(char*, int, int)
/home/magnus/dillo/src/html.cc:597
#17 0x55a615ad7866 in Html_callback /home/magnus/dillo/src/html.cc:4333
#18 0x55a615a912ff in Cache_process_queue
(/home/magnus/dillo/src/dillo+0x1782ff) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#19 0x55a615a919fe in Cache_delayed_process_queue_callback
(/home/magnus/dillo/src/dillo+0x1789fe) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#20 0x7f4eb2f49fe3 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x41fe3)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#21 0x7f4eb2752bfb in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7f4eb38f9cd7 in malloc (/usr/lib64/libasan.so.8+0xf9cd7) (BuildId:
4a8505bee5ce42b81c4c9e1235c2851911c68054)
#1 0x55a615b2a2fa in dMalloc (/home/magnus/dillo/src/dillo+0x2112fa)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#2 0x55a615b2a375 in dMalloc0 (/home/magnus/dillo/src/dillo+0x211375)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#3 0x55a615b32955 in Http_sock_new /home/magnus/dillo/src/IO/http.c:169
#4 0x55a615b37e18 in a_Http_ccc /home/magnus/dillo/src/IO/http.c:905
#5 0x55a615a8158d in a_Chain_bcb (/home/magnus/dillo/src/dillo+0x16858d)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#6 0x55a615a9aa79 in a_Capi_ccc (/home/magnus/dillo/src/dillo+0x181a79)
(BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
#7 0x55a615a9a3a4 in a_Capi_open_url
(/home/magnus/dillo/src/dillo+0x1813a4) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#8 0x55a615aca95a in Html_load_image /home/magnus/dillo/src/html.cc:2213
#9 0x55a615aca7f4 in a_Html_image_new(DilloHtml*, char const*, int)
/home/magnus/dillo/src/html.cc:2186
#10 0x55a615acb080 in Html_tag_content_img
/home/magnus/dillo/src/html.cc:2293
#11 0x55a615ad5e66 in Html_process_tag /home/magnus/dillo/src/html.cc:4132
#12 0x55a615ad81b4 in Html_write_raw /home/magnus/dillo/src/html.cc:4438
#13 0x55a615abf944 in DilloHtml::write(char*, int, int)
/home/magnus/dillo/src/html.cc:597
#14 0x55a615ad7866 in Html_callback /home/magnus/dillo/src/html.cc:4333
#15 0x55a615a912ff in Cache_process_queue
(/home/magnus/dillo/src/dillo+0x1782ff) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#16 0x55a615a919fe in Cache_delayed_process_queue_callback
(/home/magnus/dillo/src/dillo+0x1789fe) (BuildId:
e0037263c7a2a686e2a3a065c9f3703fa201643b)
#17 0x7f4eb2f49fe3 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x41fe3)
(BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
#18 0x7f4eb2752bfb in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free
/home/magnus/dillo/src/IO/http.c:303 in Http_socket_free
Shadow bytes around the buggy address:
0x50700004c880: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x50700004c900: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x50700004c980: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x50700004ca00: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fd fd
0x50700004ca80: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x50700004cb00: 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd
0x50700004cb80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x50700004cc00: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 01 fa
0x50700004cc80: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x50700004cd00: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x50700004cd80: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21070==ABORTING
From 0461f35f0be43a8ce97e3fc783a165a4b3c5905c Mon Sep 17 00:00:00 2001
From: Magnus Larsen <[email protected]>
Date: Thu, 22 Jan 2026 23:57:22 -0800
Subject: [PATCH 1/2] Fully free SocketData while removing Http_Server
This fixes a use-after free where a dangling pointer would be left
in the ValidSocks klist.
---
src/IO/http.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/IO/http.c b/src/IO/http.c
index 4d9902f2..d0b70892 100644
--- a/src/IO/http.c
+++ b/src/IO/http.c
@@ -68,6 +68,7 @@ typedef struct {
ChainLink *Info; /* Used for CCC asynchronous operations */
char *connected_to; /* Used for per-server connection limit */
uint_t connect_port;
+ int SKey;
Dstr *https_proxy_reply;
} SocketData_t;
@@ -168,7 +169,8 @@ static int Http_sock_new(void)
{
SocketData_t *S = dNew0(SocketData_t, 1);
S->SockFD = -1;
- return a_Klist_insert(&ValidSocks, S);
+ S->SKey = a_Klist_insert(&ValidSocks, S);
+ return S->SKey;
}
/**
@@ -1092,6 +1094,8 @@ static void Http_server_remove(Server_t *srv)
while ((sd = dList_nth_data(srv->queue, 0))) {
dList_remove_fast(srv->queue, sd);
+ if (!(sd->flags & HTTP_SOCKET_TO_BE_FREED))
+ Http_socket_free(sd->SKey);
dFree(sd);
}
dList_free(srv->queue);
@@ -1108,7 +1112,9 @@ static void Http_servers_remove_all(void)
while (dList_length(servers) > 0) {
srv = (Server_t*) dList_nth_data(servers, 0);
while ((sd = dList_nth_data(srv->queue, 0))) {
- dList_remove(srv->queue, sd);
+ dList_remove_fast(srv->queue, sd);
+ if (!(sd->flags & HTTP_SOCKET_TO_BE_FREED))
+ Http_socket_free(sd->SKey);
dFree(sd);
}
Http_server_remove(srv);
--
2.51.2
From 85370b4300ba56d3ddb67ef98cbd19e559645271 Mon Sep 17 00:00:00 2001
From: Magnus Larsen <[email protected]>
Date: Thu, 22 Jan 2026 23:57:28 -0800
Subject: [PATCH 2/2] Fix use-after-free in openssl cert popup
This bug was half-addressed last year in commit 9b6c641, but conn could
still be a dangling pointer if ongoing==TRUE.
---
src/IO/tls_openssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/IO/tls_openssl.c b/src/IO/tls_openssl.c
index dddde0e8..dd619996 100644
--- a/src/IO/tls_openssl.c
+++ b/src/IO/tls_openssl.c
@@ -1213,8 +1213,10 @@ static void Tls_connect(int fd, int connkey)
* been closed by the server if the user responded too slowly to a popup.
*/
+ conn = a_Klist_get_data(conn_list, connkey);
+
if (!ongoing) {
- if (a_Klist_get_data(conn_list, connkey)) {
+ if (conn) {
conn->connecting = FALSE;
if (failed) {
conn->in_connect = FALSE;
--
2.51.2
_______________________________________________
Dillo-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
