Hi,
There is a bit spooky code I think in the server_read_http function
after freeing the line buffer and parsing the line :)
Right now I think a double-free bug is prevented because the maxiumum
header length is checked using SERVER_MAXHEADERLENGTH (=8192).
else an integer overflow of clt->clt_line to 0 and a malformed line could
perhaps trigger a double free bug (I'm not 100% sure about this).
Notified in a warning using clang-analyzer.
This patch sets the line to NULL after free(3) just in case.
--- httpd/server_http.c Sun May 28 16:14:39 2017
+++ httpd/server_http.c Sun May 28 16:14:25 2017
@@ -245,6 +245,7 @@ server_read_http(struct bufferevent *bev, void *arg)
if (!linelen) {
clt->clt_headersdone = 1;
free(line);
+ line = NULL;
break;
}
key = line;
@@ -279,6 +280,7 @@ server_read_http(struct bufferevent *bev, void *arg)
goto fail;
free(line);
+ line = NULL;
continue;
}
if (*value == ':') {
@@ -377,6 +379,7 @@ server_read_http(struct bufferevent *bev, void *arg)
}
free(line);
+ line = NULL;
}
if (clt->clt_headersdone) {
if (desc->http_method == HTTP_METHOD_NONE) {
--
Kind regards,
Hiltjo
