gotwebd: double free in gotweb_free

From:: Omar Polo <op@omarpolo.com>
Subject:: gotwebd: double free in gotweb_free_querystring
To:: gameoftrees@openbsd.org
Date:: Mon, 15 Aug 2022 18:05:29 +0200

Download raw body.

Thread

2022-08-15 16:05 Omar Polo:
gotwebd: double free in gotweb_free_querystring
- 2022-08-15 16:08 Tracey Emery:
  gotwebd: double free in gotweb_free_querystring

found the hard way.  fcgi_cleanup_request already takes care of
freeing the querystring.  ok?


commit f160c80fac26cc4052cd1d67c896af6e38919ac8 (gwdprintf)
from: Omar Polo <op@omarpolo.com>
date: Mon Aug 15 15:57:23 2022 UTC
 
 don't free the querystring on error: it's already done later
 
 fixes an otherwise double free in the error path.
 
diff 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81 f160c80fac26cc4052cd1d67c896af6e38919ac8
commit - 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81
commit + f160c80fac26cc4052cd1d67c896af6e38919ac8
blob - f332e5d6085b45092bae5d9094c76128da56fc32
blob + 52c84095ccc511d21f371909ab1d5c6fd9bf122c
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -145,7 +145,6 @@ gotweb_process_request(struct request *c)
 	c->t->qs = qs;
 	error = gotweb_parse_querystring(&qs, c->querystring);
 	if (error) {
-		gotweb_free_querystring(qs);
 		log_warnx("%s: %s", __func__, error->msg);
 		goto err;
 	}

2022-08-15 16:05 Omar Polo:
gotwebd: double free in gotweb_free_querystring
- 2022-08-15 16:08 Tracey Emery:
  gotwebd: double free in gotweb_free_querystring