Describe the issue
I found a UAF bug in http-connection.c, in function httpc_read_cb
To Reproduce
Found it by static analysis~
Expected behavior
In this function, at line 168-169 looks like this
redsocks_shutdown(client, client->client, SHUT_RD);
const size_t avail = evbuffer_get_length(client->client->input);
redsocks_shutdown(client, client->client, SHUT_RD);
const size_t avail = evbuffer_get_length(client->client->input);
if (avail) {
if (evbuffer_drain(client->client->input, avail) != 0) {
redsocks_log_errno(client, LOG_NOTICE, "evbuffer_drain");
goto fail;
}
}
redsocks_shutdown(client, client->relay, SHUT_WR);
client->state = httpc_headers_skipped;
in redsocks_shutdown, there is a possibility of calling redsocks_drop_client(client), in redsocks.c line 790, which looks like this:
if (shut_both(client)) {
redsocks_log_error(client, LOG_DEBUG, "both client and server disconnected");
redsocks_drop_client(client);
}
But after calling redsocks_shutdown above, client was visited many times. So I'm wondering if it might lead to UAF here.
Also, there is another similar problem in redsocks.c
at line 820, we called redsocks_shutdown(client, buffev, SHUT_RD); but in line 824, we visited client->state again.
Describe the issue
I found a UAF bug in
http-connection.c, in functionhttpc_read_cbTo Reproduce
Found it by static analysis~
Expected behavior
In this function, at line 168-169 looks like this
in
redsocks_shutdown, there is a possibility of callingredsocks_drop_client(client), in redsocks.c line 790, which looks like this:But after calling redsocks_shutdown above,
clientwas visited many times. So I'm wondering if it might lead to UAF here.Also, there is another similar problem in redsocks.c
at line 820, we called
redsocks_shutdown(client, buffev, SHUT_RD);but in line 824, we visitedclient->stateagain.