CVSROOT: /cvs Module name: src Changes by: bl...@cvs.openbsd.org 2015/05/18 10:57:20
Modified files: usr.sbin/relayd: relay.c relay_http.c Log message: Fix a crash reported and analyzed by Bertrand PROVOST. When a HTTP client or server writes multiple requests or chunks in a single transfer, relayd invokes the libevent callback manually for the next data. If the callback closes the session, this resulted in an use after free. Instead of the more complicated fix suggested by Bertrand PROVOST, just move the invocation of the callback to the end of the function. So in case the callback frees any structures, they are not accessed. OK benno@ reyk@