diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-07-12 12:37:29 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-07-12 12:37:29 +0000 |
| commit | cfba8853df834fa3167c2bb56dd0da57f8d43ce8 (patch) | |
| tree | 1c72eae3815914f4acbee7adaaed1257493b326b /usr.sbin/httpd/server.c | |
| parent | f53408e0026cdc97058b6130dee30960e2c5fe85 (diff) | |
Work around use after free in httpd(8)
A malformed HTTP request can cause httpd in fastcgi mode to crash due to a
use-after-free. This is an awful hack, but it's good enough until someone
figures out the correct way of dealing with server_close() here.
"this will do the trick for now" claudio
ok beck deraadt
Diffstat (limited to 'usr.sbin/httpd/server.c')
| -rw-r--r-- | usr.sbin/httpd/server.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 90a47d67c80..6999b08cfae 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.126 2021/07/14 13:33:57 kn Exp $ */ +/* $OpenBSD: server.c,v 1.127 2023/07/12 12:37:27 tb Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -1300,6 +1300,11 @@ server_close(struct client *clt, const char *msg) { struct server *srv = clt->clt_srv; + if (clt->clt_fcgi_error != NULL) { + clt->clt_fcgi_error = msg; + return; + } + SPLAY_REMOVE(client_tree, &srv->srv_clients, clt); /* free the HTTP descriptors incl. headers */ |