gotwebd: double free in gotweb_free

From:: Tracey Emery <tracey@traceyemery.net>
Subject:: Re: gotwebd: double free in gotweb_free_querystring
To:: Omar Polo <op@omarpolo.com>
Cc:: gameoftrees@openbsd.org
Date:: Mon, 15 Aug 2022 10:08:47 -0600

Download raw body.

Thread

2022-08-15 16:05 Omar Polo:
gotwebd: double free in gotweb_free_querystring
- 2022-08-15 16:08 Tracey Emery:
  gotwebd: double free in gotweb_free_querystring

On Mon, Aug 15, 2022 at 06:05:29PM +0200, Omar Polo wrote:
> found the hard way.  fcgi_cleanup_request already takes care of
> freeing the querystring.  ok?

ok

> 
> 
> commit f160c80fac26cc4052cd1d67c896af6e38919ac8 (gwdprintf)
> from: Omar Polo <op@omarpolo.com>
> date: Mon Aug 15 15:57:23 2022 UTC
>  
>  don't free the querystring on error: it's already done later
>  
>  fixes an otherwise double free in the error path.
>  
> diff 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81 f160c80fac26cc4052cd1d67c896af6e38919ac8
> commit - 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81
> commit + f160c80fac26cc4052cd1d67c896af6e38919ac8
> blob - f332e5d6085b45092bae5d9094c76128da56fc32
> blob + 52c84095ccc511d21f371909ab1d5c6fd9bf122c
> --- gotwebd/gotweb.c
> +++ gotwebd/gotweb.c
> @@ -145,7 +145,6 @@ gotweb_process_request(struct request *c)
>  	c->t->qs = qs;
>  	error = gotweb_parse_querystring(&qs, c->querystring);
>  	if (error) {
> -		gotweb_free_querystring(qs);
>  		log_warnx("%s: %s", __func__, error->msg);
>  		goto err;
>  	}
> 
> 

-- 

Tracey Emery

2022-08-15 16:05 Omar Polo:
gotwebd: double free in gotweb_free_querystring
- 2022-08-15 16:08 Tracey Emery:
  gotwebd: double free in gotweb_free_querystring