Fix zero-copy mode in lua_http (double free).

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)
diff --git a/src/libutil/http.c b/src/libutil/http.c

index ff43ebd11fe7692c09ea2cbf08bed7cc96140bf5..5e589afc2923e156c7e020416df8a13c76aa23d7 100644 (file)
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -1592,7 +1592,7 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
                 }
                 if (msg->body != NULL) {
  
-                       if (msg->body_buf.str == NULL) {
+                       if (msg->body_buf.str == NULL && msg->body_buf.len == 0) {
                                 msg->body_buf.str = msg->body->str;
                         }
                         priv->out[i].iov_base = pbody;
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c

index 7e48b7fd634d478f843955da6068c94bf4988a1d..1baef5ed4941e9be592552d948df1ec2d717a6e0 100644 (file)
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -410,6 +410,8 @@ lua_http_request (lua_State *L)
                                 msg->body = g_string_new (NULL);
                                 msg->body->str = (gchar *)t->start;
                                 msg->body->len = t->len;
+                               /* It is not safe unless we set len to avoid body_buf to be freed */
+                               msg->body_buf.len = t->len;
                         }
                 }
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Tue, 12 May 2015 14:26:42 +0000 (15:26 +0100)
src/libutil/http.c		patch \| blob \| history
src/lua/lua_http.c		patch \| blob \| history