Hi, There is a bit spooky code I think in the server_read_http function after freeing the line buffer and parsing the line :)
Right now I think a double-free bug is prevented because the maxiumum header length is checked using SERVER_MAXHEADERLENGTH (=8192). else an integer overflow of clt->clt_line to 0 and a malformed line could perhaps trigger a double free bug (I'm not 100% sure about this). Notified in a warning using clang-analyzer. This patch sets the line to NULL after free(3) just in case. --- httpd/server_http.c Sun May 28 16:14:39 2017 +++ httpd/server_http.c Sun May 28 16:14:25 2017 @@ -245,6 +245,7 @@ server_read_http(struct bufferevent *bev, void *arg) if (!linelen) { clt->clt_headersdone = 1; free(line); + line = NULL; break; } key = line; @@ -279,6 +280,7 @@ server_read_http(struct bufferevent *bev, void *arg) goto fail; free(line); + line = NULL; continue; } if (*value == ':') { @@ -377,6 +379,7 @@ server_read_http(struct bufferevent *bev, void *arg) } free(line); + line = NULL; } if (clt->clt_headersdone) { if (desc->http_method == HTTP_METHOD_NONE) { -- Kind regards, Hiltjo