]> granicus.if.org Git - libevent/commitdiff
Avoid racy bufferevent activation
authorNate Rosenblum <nater@maginatics.com>
Tue, 3 Sep 2013 21:46:47 +0000 (14:46 -0700)
committerNick Mathewson <nickm@torproject.org>
Mon, 9 Sep 2013 15:59:00 +0000 (11:59 -0400)
The evhttp_send_reply method invokes evhttp_write_buffer with a
callback that may release the underlying request object and
bufferevent upon completion. This cleanup callback is invoked by the
underlying bufferevent's write callback. Improperly enabling write
events before referencing the bufferevent could lead to use after free
and memory corruption.

http.c

diff --git a/http.c b/http.c
index 9b96ffb3b2313ec6f91b96d5c557bf491f52f770..377597eabe81edd460f9b698f3f5ff8ac52e069b 100644 (file)
--- a/http.c
+++ b/http.c
@@ -383,8 +383,6 @@ evhttp_write_buffer(struct evhttp_connection *evcon,
        evcon->cb = cb;
        evcon->cb_arg = arg;
 
-       bufferevent_enable(evcon->bufev, EV_WRITE);
-
        /* Disable the read callback: we don't actually care about data;
         * we only care about close detection.  (We don't disable reading,
         * since we *do* want to learn about any close events.) */
@@ -393,6 +391,8 @@ evhttp_write_buffer(struct evhttp_connection *evcon,
            evhttp_write_cb,
            evhttp_error_cb,
            evcon);
+
+       bufferevent_enable(evcon->bufev, EV_WRITE);
 }
 
 static void