fix epoll use after free

author: Christian Grothoff <christian@grothoff.org> 2013-09-02 21:00:31 +0000
committer: Christian Grothoff <christian@grothoff.org> 2013-09-02 21:00:31 +0000
commit: 41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53 (patch)
tree: bf7f61d795f50988cbdb08fde09861d91bdba6e5
parent: 90acb6bbbd28beac0567e383a8572b21238a19a4 (diff)
download: libmicrohttpd-41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53.tar.gz
libmicrohttpd-41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53.zip
3 files changed, 13 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 2791f68a..9fcf977a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+Mon Sep  2 22:59:45 CEST 2013
+        Fix use-after-free in epoll()-mode on read error. -CG
 Sun Sep  1 21:55:53 CEST 2013
        Fixing build issues on FreeBSD. -CG
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c
index 48a07cf4..2e5979c5 100644
--- a/src/microhttpd/connection.c
+++ b/src/microhttpd/connection.c
@@ -1824,7 +1824,7 @@ int
 MHD_connection_handle_read (struct MHD_Connection *connection)
 {
  update_last_activity (connection);
-  if (connection->state == MHD_CONNECTION_CLOSED)
+  if (MHD_CONNECTION_CLOSED == connection->state)
    return MHD_YES;
  /* make sure "read" has a reasonable number of bytes
     in buffer to use per system call (if possible) */
@@ -2169,13 +2169,13 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
          continue;
        case MHD_CONNECTION_HEADERS_RECEIVED:
          parse_connection_headers (connection);
-          if (connection->state == MHD_CONNECTION_CLOSED)
+          if (MHD_CONNECTION_CLOSED == connection->state)
            continue;
          connection->state = MHD_CONNECTION_HEADERS_PROCESSED;
          continue;
        case MHD_CONNECTION_HEADERS_PROCESSED:
          call_connection_handler (connection); /* first call */
-          if (connection->state == MHD_CONNECTION_CLOSED)
+          if (MHD_CONNECTION_CLOSED == connection->state)
            continue;
          if (need_100_continue (connection))
            {
@@ -2208,7 +2208,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
          if (connection->read_buffer_offset != 0)
            {
              process_request_body (connection);     /* loop call */
-              if (connection->state == MHD_CONNECTION_CLOSED)
+              if (MHD_CONNECTION_CLOSED == connection->state)
                continue;
            }
          if ((connection->remaining_upload_size == 0) ||
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index 5d99fa40..b8bb7b3d 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -1591,7 +1591,12 @@ MHD_cleanup_connections (struct MHD_Daemon *daemon)
                        pos->addr_len);
 #if EPOLL_SUPPORT
      if (0 != (pos->epoll_state & MHD_EPOLL_STATE_IN_EREADY_EDLL))
-        MHD_PANIC ("Internal error");
+        {
+          EDLL_remove (daemon->eready_head,
+                       daemon->eready_tail,
+                       pos);
+          pos->epoll_state &= ~MHD_EPOLL_STATE_IN_EREADY_EDLL;
+        }
      if ( (0 != (daemon->options & MHD_USE_EPOLL_LINUX_ONLY)) &&
           (-1 != daemon->epoll_fd) &&
           (0 != (pos->epoll_state & MHD_EPOLL_STATE_IN_EPOLL_SET)) )
author	Christian Grothoff <christian@grothoff.org>	2013-09-02 21:00:31 +0000
committer	Christian Grothoff <christian@grothoff.org>	2013-09-02 21:00:31 +0000
commit	41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53 (patch)
tree	bf7f61d795f50988cbdb08fde09861d91bdba6e5
parent	90acb6bbbd28beac0567e383a8572b21238a19a4 (diff)
download	libmicrohttpd-41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53.tar.gz libmicrohttpd-41d2fc1eba51dbb1c2c23d83d18e985f92cd6d53.zip