Fix incorrect assertions and possible use-after-free in evrpc_free()

Original description:

  The following patch fixes incorrect assertions in evrpc_free():
  evrpc_unregister_rpc() and evrpc_remove_hook() return 0 for success.

  Also, in evrpc_unregister_rpc(), it is better to free RPC structure
  at the end: evrpc_free() uses rpc->uri as "name" parameter when
  calling evrpc_unregister_rpc(), then rpc->uri is freed, but we have
  "registered_uri = evrpc_construct_uri(name)". So at this time "name"
  is invalid.

diff --git a/evrpc.c b/evrpc.c
index 9d69299490cbaf2108413c75b857bcbaab54be0e..e11892dcc07175cee690dec8bf9898b8a4014fa6 100644 (file)
--- a/evrpc.c
+++ b/evrpc.c
@@ -98,7 +98,7 @@ evrpc_free(struct evrpc_base *base)
 
        while ((rpc = TAILQ_FIRST(&base->registered_rpcs)) != NULL) {
                r = evrpc_unregister_rpc(base, rpc->uri);
-               EVUTIL_ASSERT(r);
+               EVUTIL_ASSERT(r == 0);
        }
        while ((pause = TAILQ_FIRST(&base->paused_requests)) != NULL) {
                TAILQ_REMOVE(&base->paused_requests, pause, next);
@@ -263,9 +263,6 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name)
        }
        TAILQ_REMOVE(&base->registered_rpcs, rpc, next);
 
-       mm_free((char *)rpc->uri);
-       mm_free(rpc);
-
        registered_uri = evrpc_construct_uri(name);
 
        /* remove the http server callback */
@@ -273,6 +270,9 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name)
        EVUTIL_ASSERT(r == 0);
 
        mm_free(registered_uri);
+
+       mm_free((char *)rpc->uri);
+       mm_free(rpc);
        return (0);
 }