deac/osd-contiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Zero out httpd_state before deallocating

Browse source 
When a connection is aborted by the HTTP server while it's still being processed it is possible to hit a null pointer dereference issue by jumping back to a protothread (outputpt) after its httpd_state has been freed. This can be triggered by sending a POST to any form in the CC26xx web demo server using Firefox.
This patch prevents that by zeroing out httpd_state structs before freeing them, thus also clearing the httpd_state->outputpt field.
Tested using Firefox 55.0a1 on a CC2650 LaunchPad.
This commit is contained in:
alexstanoev 2017-03-31 16:44:11 +01:00
parent 4425a67433
commit a30364189a
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
examples/cc26xx/cc26xx-web-demo/httpd-simple.c
View file

@ -1268,9 +1268,7 @@ appcall(void *state)
if(uip_closed() || uip_aborted() || uip_timedout()) { if(uip_closed() || uip_aborted() || uip_timedout()) {
if(s != NULL) { if(s != NULL) {
s->script = NULL; memset(s, 0, sizeof(struct httpd_state));
s->blen = 0;
s->tmp_buf_len = 0;
memb_free(&conns, s); memb_free(&conns, s);
} }
} else if(uip_connected()) { } else if(uip_connected()) {
@ -1291,7 +1289,7 @@ appcall(void *state)
if(uip_poll()) { if(uip_poll()) {
if(timer_expired(&s->timer)) { if(timer_expired(&s->timer)) {
uip_abort(); uip_abort();
s->script = NULL; memset(s, 0, sizeof(struct httpd_state));
memb_free(&conns, s); memb_free(&conns, s);
} }
} else { } else {