From: Tracey Emery <tracey@traceyemery.net>
Subject: Re: gotwebd: double free in gotweb_free_querystring
To: Omar Polo <op@omarpolo.com>
Cc: gameoftrees@openbsd.org
Date: Mon, 15 Aug 2022 10:08:47 -0600

On Mon, Aug 15, 2022 at 06:05:29PM +0200, Omar Polo wrote:
> found the hard way.  fcgi_cleanup_request already takes care of
> freeing the querystring.  ok?

ok

> 
> 
> commit f160c80fac26cc4052cd1d67c896af6e38919ac8 (gwdprintf)
> from: Omar Polo <op@omarpolo.com>
> date: Mon Aug 15 15:57:23 2022 UTC
>  
>  don't free the querystring on error: it's already done later
>  
>  fixes an otherwise double free in the error path.
>  
> diff 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81 f160c80fac26cc4052cd1d67c896af6e38919ac8
> commit - 917be9c7fdaed06fb6f17cf9a2d556f9272a3c81
> commit + f160c80fac26cc4052cd1d67c896af6e38919ac8
> blob - f332e5d6085b45092bae5d9094c76128da56fc32
> blob + 52c84095ccc511d21f371909ab1d5c6fd9bf122c
> --- gotwebd/gotweb.c
> +++ gotwebd/gotweb.c
> @@ -145,7 +145,6 @@ gotweb_process_request(struct request *c)
>  	c->t->qs = qs;
>  	error = gotweb_parse_querystring(&qs, c->querystring);
>  	if (error) {
> -		gotweb_free_querystring(qs);
>  		log_warnx("%s: %s", __func__, error->msg);
>  		goto err;
>  	}
> 
> 

-- 

Tracey Emery