CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2015/05/18 10:57:20
Modified files:
usr.sbin/relayd: relay.c relay_http.c
Log message:
Fix a crash reported and analyzed by Bertrand PROVOST. When a HTTP
client or server writes multiple requests or chunks in a single
transfer, relayd invokes the libevent callback manually for the
next data. If the callback closes the session, this resulted in
an use after free.
Instead of the more complicated fix suggested by Bertrand PROVOST,
just move the invocation of the callback to the end of the function.
So in case the callback frees any structures, they are not accessed.
OK benno@ reyk@
