From 5eb178855a7263a50e38139089720fef7c3a1642 Mon Sep 17 00:00:00 2001 From: Nate Rosenblum Date: Tue, 3 Sep 2013 14:46:47 -0700 Subject: [PATCH] Avoid racy bufferevent activation The evhttp_send_reply method invokes evhttp_write_buffer with a callback that may release the underlying request object and bufferevent upon completion. This cleanup callback is invoked by the underlying bufferevent's write callback. Improperly enabling write events before referencing the bufferevent could lead to use after free and memory corruption. --- http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http.c b/http.c index 9b96ffb3..377597ea 100644 --- a/http.c +++ b/http.c @@ -383,8 +383,6 @@ evhttp_write_buffer(struct evhttp_connection *evcon, evcon->cb = cb; evcon->cb_arg = arg; - bufferevent_enable(evcon->bufev, EV_WRITE); - /* Disable the read callback: we don't actually care about data; * we only care about close detection. (We don't disable reading, * since we *do* want to learn about any close events.) */ @@ -393,6 +391,8 @@ evhttp_write_buffer(struct evhttp_connection *evcon, evhttp_write_cb, evhttp_error_cb, evcon); + + bufferevent_enable(evcon->bufev, EV_WRITE); } static void -- 2.40.0