[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] use-after-free bug in cookie handling

From: Thorsten Glaser
Subject: Re: [Lynx-dev] use-after-free bug in cookie handling
Date: Thu, 13 Aug 2015 23:04:55 +0000 (UTC)

Dixi quod…

>This looks like the classical “object removed from list, free’d,
>then used to continue traversing the list” bug. And, indeed, there
>is a call to HTList_removeObject() in the loop!

Funnily enough, LYAddCookieHeader() in the same file appears to have
been rewritten to address this precise issue.

The control flow in this function differs, therefore I propose the
following rather minimal-invasive patch: after a removal, the loop
header is skipped (duplicating the abort logic, but whatever).

I’ll be running lynx with that patch applied for a while now.

Index: src/LYCookie.c
RCS file: /cvs/src/gnu/usr.bin/lynx/src/LYCookie.c,v
retrieving revision
diff -u -p -r1.1.109.9 LYCookie.c
--- src/LYCookie.c      19 Feb 2012 18:29:34 -0000
+++ src/LYCookie.c      13 Aug 2015 23:03:47 -0000
@@ -723,6 +723,7 @@ static char *scan_cookie_sublist(char *h
     sprintf(crlftab, "%c%c%c", CR, LF, '\t');
     for (hl = sublist; hl != NULL; hl = hl->next) {
+ continue_after_removal:
        co = (cookie *) hl->object;
        if (co == NULL) {
@@ -752,10 +753,13 @@ static char *scan_cookie_sublist(char *h
        if ((co->flags & COOKIE_FLAG_EXPIRES_SET) &&
            co->expires <= now) {
+           hl = hl->next;
            HTList_removeObject(sublist, co);
-           continue;
+           if (hl)
+               goto continue_after_removal;
+           break;

> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://
a.k.a. {}#news.gmane.linux.debian.ports.68k in pine

reply via email to

[Prev in Thread] Current Thread [Next in Thread]