diff options
| author |  Christian Hesse <mail@eworm.de> | 2017-11-28 18:55:24 +0100 |
|---|---|---|
| committer | Christian Hesse <mail@eworm.de> | 2017-11-28 18:55:24 +0100 |
| commit | 0e9c18db5a4f4818f273a72723970b4d11d82eeb (patch) | |
| tree | 6b8c3cbfd53078b14c74614a3643cd4bd7c5089f | |
| parent | 7e233c67fcfeb5d8a14fcfa26a9bbd53b2968a27 (diff) | |
| download | pacredir-0e9c18db5a4f4818f273a72723970b4d11d82eeb.tar.gz pacredir-0e9c18db5a4f4818f273a72723970b4d11d82eeb.tar.zst | |
fix memory corruption with libmicrohttpd
We had a race where page was freed before the queue finished. Tell
libmicrohttpd it has to free itself.
| -rw-r--r-- | pacredir.c | 7 |
1 files changed, 3 insertions, 4 deletions
@@ -369,7 +369,7 @@ static int ahc_echo(void * cls, int ret; struct hosts * tmphosts = hosts; - char * url = NULL, * page; + char * url = NULL, * page = NULL; const char * basename, * host = NULL; struct timeval tv; @@ -558,7 +558,7 @@ response: write_log(stdout, "Redirecting to %s: %s\n", host, url); page = malloc(strlen(PAGE307) + strlen(url) + strlen(basename) + 1); sprintf(page, PAGE307, url, basename); - response = MHD_create_response_from_buffer(strlen(page), (void*) page, MHD_RESPMEM_PERSISTENT); + response = MHD_create_response_from_buffer(strlen(page), (void*) page, MHD_RESPMEM_MUST_FREE); ret = MHD_add_response_header(response, "Location", url); ret = MHD_queue_response(connection, MHD_HTTP_TEMPORARY_REDIRECT, response); free(url); @@ -575,7 +575,7 @@ response: page = malloc(strlen(PAGE404) + strlen(basename) + 1); sprintf(page, PAGE404, basename); - response = MHD_create_response_from_buffer(strlen(page), (void*) page, MHD_RESPMEM_PERSISTENT); + response = MHD_create_response_from_buffer(strlen(page), (void*) page, MHD_RESPMEM_MUST_FREE); ret = MHD_queue_response(connection, MHD_HTTP_NOT_FOUND, response); } @@ -585,7 +585,6 @@ response: sd_notifyf(0, "STATUS=%d redirects, %d not found, waiting...", count_redirect, count_not_found); - free(page); if (req_count > -1) { free(tid); free(requests); |