lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #50424] Double free of http_state when post data enabl

From: Josh Green
Subject: [lwip-devel] [bug #50424] Double free of http_state when post data enabled
Date: Tue, 28 Feb 2017 19:30:39 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 
URL:
  <http://savannah.nongnu.org/bugs/?50424>

                 Summary: Double free of http_state when post data enabled
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: jgreen
            Submitted on: Tue 28 Feb 2017 04:30:38 PM PST
                Category: None
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.0.0

    _______________________________________________________

Details:

I'm getting double frees in the 2.0.1 httpd app.  I've customized the code
somewhat to handle unknown custom file lengths (for dynamic POST data
responses), but I don't think this issue is related to those changes.  This
worked fine with the HTTP server in lwIP 1.0.4.

In http_recv() http_post_rxpbuf() is called where the first call to http_eof()
occurs.

After returning from http_post_rxpbuf() the http_state should no longer be
used, but it is with the statement:
if (hs->post_content_len_left == 0)

http_send is then called, which calls http_eof() again, causing a double
free.


Attached are backtraces for both frees.  Please note that line numbers will
not match stock 2.0.1 lwIP.

Also attached is my lwipopts.h header file.




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 28 Feb 2017 04:30:38 PM PST  Name: lwIP-httpd-double-free.txt  Size:
4kB   By: jgreen

<http://savannah.nongnu.org/bugs/download.php?file_id=39857>
-------------------------------------------------------
Date: Tue 28 Feb 2017 04:30:38 PM PST  Name: lwipopts.h  Size: 2kB   By:
jgreen

<http://savannah.nongnu.org/bugs/download.php?file_id=39858>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?50424>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]