Hi, I've found a specific path in the libevent 2.0.2 code which I believe leads to a series of invalid reads and a double free. Let me describe it a best as I can, if I find time tomorrow I'll look at writing a patch.
First of all I receive a request from an http instance of which I take ownership using evhttp_request_own(request). When that's done I send a reply, for example evhttp_send_reply(request, 200, "OK", NULL) and immediately after I call evhttp_request_free(request). This leads to a series of invalid reads and the following double free: ==23299== Invalid free() / delete / delete[] ==23299== at 0x4023EBA: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==23299== by 0x804EC9B: evhttp_request_free (http.c:2690) ==23299== by 0x805080E: evhttp_send_done (http.c:1937) ==23299== by 0x8058792: _bufferevent_run_writecb (bufferevent.c:175) ==23299== by 0x8058B57: bufferevent_writecb (bufferevent_sock.c:234) ==23299== by 0x804CB09: event_base_loop (event.c:665) ==23299== by 0x804D028: event_base_dispatch (event.c:749) ... ==23299== Address 0x42e2b88 is 0 bytes inside a block of size 72 free'd ==23299== at 0x4023EBA: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==23299== by 0x804EC9B: evhttp_request_free (http.c:2690) ... What I believe happens is that the evhttp_request_free(request) happens right in between the evhttp_send_reply and evhttp_send_done invalidating the memory before evhttp_send_done is called. I think the actual free from evhttp_request_free should be deferred until this callback has been called. Yours, Jeroen Habraken _______________________________________________ Libevent-users mailing list Libevent-users@monkey.org http://monkeymail.org/mailman/listinfo/libevent-users
