From: Nate Rosenblum <nater@maginatics.com>
Date: Tue, 3 Sep 2013 21:46:47 +0000 (-0700)
Subject: Avoid racy bufferevent activation
X-Git-Tag: release-2.0.22-stable~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5eb178855a7263a50e38139089720fef7c3a1642;p=libevent

Avoid racy bufferevent activation

The evhttp_send_reply method invokes evhttp_write_buffer with a
callback that may release the underlying request object and
bufferevent upon completion. This cleanup callback is invoked by the
underlying bufferevent's write callback. Improperly enabling write
events before referencing the bufferevent could lead to use after free
and memory corruption.
---

diff --git a/http.c b/http.c
index 9b96ffb3..377597ea 100644
--- a/http.c
+++ b/http.c
@@ -383,8 +383,6 @@ evhttp_write_buffer(struct evhttp_connection *evcon,
 	evcon->cb = cb;
 	evcon->cb_arg = arg;
 
-	bufferevent_enable(evcon->bufev, EV_WRITE);
-
 	/* Disable the read callback: we don't actually care about data;
 	 * we only care about close detection.  (We don't disable reading,
 	 * since we *do* want to learn about any close events.) */
@@ -393,6 +391,8 @@ evhttp_write_buffer(struct evhttp_connection *evcon,
 	    evhttp_write_cb,
 	    evhttp_error_cb,
 	    evcon);
+
+	bufferevent_enable(evcon->bufev, EV_WRITE);
 }
 
 static void