From 9439ba75d3a29273c37a38195cb05c619622e64f Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 4 Oct 2016 00:32:02 +0900
Subject: [PATCH] nghttpx: Fix heap-use-after-free when executing new binary

---
 src/shrpx_config.cc | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index 2b24f77b..fc603dc5 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -2305,14 +2305,24 @@ int parse_config(Config *config, int optid, const StringRef &opt,
   case SHRPX_OPTID_WORKER_WRITE_BURST:
     LOG(WARN) << opt << ": not implemented yet";
     return 0;
-  case SHRPX_OPTID_NPN_LIST:
-    config->tls.npn_list = util::split_str(optarg, ',');
+  case SHRPX_OPTID_NPN_LIST: {
+    auto list = util::split_str(optarg, ',');
+    config->tls.npn_list.resize(list.size());
+    for (size_t i = 0; i < list.size(); ++i) {
+      config->tls.npn_list[i] = make_string_ref(config->balloc, list[i]);
+    }
 
     return 0;
-  case SHRPX_OPTID_TLS_PROTO_LIST:
-    config->tls.tls_proto_list = util::split_str(optarg, ',');
+  }
+  case SHRPX_OPTID_TLS_PROTO_LIST: {
+    auto list = util::split_str(optarg, ',');
+    config->tls.tls_proto_list.resize(list.size());
+    for (size_t i = 0; i < list.size(); ++i) {
+      config->tls.tls_proto_list[i] = make_string_ref(config->balloc, list[i]);
+    }
 
     return 0;
+  }
   case SHRPX_OPTID_VERIFY_CLIENT:
     config->tls.client_verify.enabled = util::strieq_l("yes", optarg);