walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Fix heap-use-after-free bug in http/1 frontend 

This is a regression introduced in
4be4d875f3
This commit is contained in:
Tatsuhiro Tsujikawa 2015-05-05 23:43:56 +09:00
parent bc0190c19f
commit 7ecca39025
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/shrpx_https_upstream.cc
View File

@ -271,9 +271,11 @@ int htp_hdrs_completecb(http_parser *htp) {
if (downstream->get_request_method() != "CONNECT") { if (downstream->get_request_method() != "CONNECT") {
http_parser_url u{}; http_parser_url u{};
auto uri = downstream->get_request_path().c_str(); // make a copy of request path, since we may set request path
rv = http_parser_parse_url(uri, downstream->get_request_path().size(), 0, // while we are refering to original request path.
&u); auto uri = downstream->get_request_path();
rv = http_parser_parse_url(uri.c_str(),
downstream->get_request_path().size(), 0, &u);
if (rv != 0) { if (rv != 0) {
// Expect to respond with 400 bad request // Expect to respond with 400 bad request
return -1; return -1;
@ -285,8 +287,7 @@ int htp_hdrs_completecb(http_parser *htp) {
return -1; return -1;
} }
} else { } else {
rewrite_request_host_path_from_uri(downstream, uri, u); rewrite_request_host_path_from_uri(downstream, uri.c_str(), u);
// uri could be invalidated here
} }
} }