On Thu, Feb 11, 2016 at 03:50:24PM +0100, Alexander Schrijver wrote:
> I ran into this issue when setting up my public_html folder using this
> configuration.
>
> prefork 2
>
> server "default" {
> listen on * port 80
>
> location match "/~*" {
> root "/users"
> }
> }
>
> types {
> text/css css
> text/html html htm
> text/txt txt
> image/gif gif
> image/jpeg jpeg jpg
> image/png png
> application/javascript js
> application/xml xml
> }
>
> The patch below fixed it for me. (server_close_http calls str_match_free and
> server_close_http can be called more than once.)
Are you sure the issue you ran into is caused by server_close_http()
being called twice? The only caller thereof is server_free(), which also
frees the client struct. This would result in use after free in
server_close_http() even before the str_match_free() call. I would
rather guess that the sequence in question is server_close_http() being
called after server_reset_http().
However, your patch looks good to me.
natano
>
> Index: patterns.c
> ===================================================================
> RCS file: /backup/mirrors/cvsync/src/usr.sbin/httpd/patterns.c,v
> retrieving revision 1.4
> diff -u -p -u -r1.4 patterns.c
> --- patterns.c 18 Aug 2015 08:26:39 -0000 1.4
> +++ patterns.c 11 Feb 2016 14:45:55 -0000
> @@ -708,5 +708,6 @@ str_match_free(struct str_match *m)
> for (i = 0; i < m->sm_nmatch; i++)
> free(m->sm_match[i]);
> free(m->sm_match);
> + m->sm_match = NULL;
> m->sm_nmatch = 0;
> }
>
