On Sun, Feb 14, 2016 at 12:20:53PM +0100, Martin Natano wrote: > Are you sure the issue you ran into is caused by server_close_http() > being called twice? The only caller thereof is server_free(), which also > frees the client struct. This would result in use after free in > server_close_http() even before the str_match_free() call. I would > rather guess that the sequence in question is server_close_http() being > called after server_reset_http(). > > However, your patch looks good to me. > > natano
I am sorry, you are right, it was not server_close_http being called twice. Instead, it was server_reset_http being called twice. This is the log where I added a printf to server_reset_http and server_close_http which print the function name and the struct client *clt. /usr/src/usr.sbin/httpd $ sudo ./httpd -d -vvv startup server_privinit: adding server default socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_reset_http 1211d800 server_reset_http 1211d800 default 192.168.1.204 - - [14/Feb/2016:15:47:40 +0100] "GET /~alex/ HTTP/1.1" 200 231 httpd(6456) in free(): error: chunk is already free 0x63512118820 logger exiting, pid 18387 server exiting, pid 5809 parent terminating, pid 4688
