From cfba8853df834fa3167c2bb56dd0da57f8d43ce8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Wed, 12 Jul 2023 12:37:29 +0000 Subject: Work around use after free in httpd(8) A malformed HTTP request can cause httpd in fastcgi mode to crash due to a use-after-free. This is an awful hack, but it's good enough until someone figures out the correct way of dealing with server_close() here. "this will do the trick for now" claudio ok beck deraadt --- usr.sbin/httpd/server.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'usr.sbin/httpd/server.c') diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 90a47d67c80..6999b08cfae 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.126 2021/07/14 13:33:57 kn Exp $ */ +/* $OpenBSD: server.c,v 1.127 2023/07/12 12:37:27 tb Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -1300,6 +1300,11 @@ server_close(struct client *clt, const char *msg) { struct server *srv = clt->clt_srv; + if (clt->clt_fcgi_error != NULL) { + clt->clt_fcgi_error = msg; + return; + } + SPLAY_REMOVE(client_tree, &srv->srv_clients, clt); /* free the HTTP descriptors incl. headers */ -- cgit v1.2.3