CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2023/11/20 11:14:52
Modified files:
usr.sbin/httpd : Tag: OPENBSD_7_4 httpd.h server.c server_fcgi.c
Log message:
Avoid a NULL dereference when handling a malformed fastcgi request.
Rework the hack to avoid a use-after-free in the fastcgi code.
Since server_fcgi() can be called by server_read_httpcontent() we
can't set clt_fcgi_error to NULL. Instead, we implement a simple
reference count to track when a fastcgi session is in progress to
avoid closing the http session prematurely on fastcgi error.
Based on a diff from and OK by tb@. Reported by Ben Kallus.
from millert@
this is errata/7.4/006_httpd.patch.sig
