From 85280730034506b3e62dd7c529480898fe712058 Mon Sep 17 00:00:00 2001 From: ejurgensen Date: Sat, 30 Sep 2023 23:06:09 +0200 Subject: [PATCH] [daap] Fix for use-after-free Present in 28.7 and 28.8. Closes #1659. Credit X-Ryl669. --- src/httpd_daap.c | 4 ++-- src/httpd_internal.h | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/httpd_daap.c b/src/httpd_daap.c index 5fed4db9..ee3df2d8 100644 --- a/src/httpd_daap.c +++ b/src/httpd_daap.c @@ -2264,8 +2264,6 @@ daap_request(struct httpd_request *hreq) ret = hreq->handler(hreq); - daap_reply_send(hreq, ret); - clock_gettime(CLOCK_MONOTONIC, &end); msec = (end.tv_sec * 1000 + end.tv_nsec / 1000000) - (start.tv_sec * 1000 + start.tv_nsec / 1000000); @@ -2273,6 +2271,8 @@ daap_request(struct httpd_request *hreq) if (ret == DAAP_REPLY_OK && msec > cache_daap_threshold() && hreq->user_agent) cache_daap_add(hreq->uri, hreq->user_agent, ((struct daap_session *)hreq->extra_data)->is_remote, msec); + + daap_reply_send(hreq, ret); // hreq is deallocted } int diff --git a/src/httpd_internal.h b/src/httpd_internal.h index 60b45e91..2009b051 100644 --- a/src/httpd_internal.h +++ b/src/httpd_internal.h @@ -224,7 +224,8 @@ httpd_response_not_cachable(struct httpd_request *hreq); * may direct it not to. It will set CORS headers as appropriate. Should be * thread safe. * - * @in req The http request struct + * @in hreq The http request struct. NOTE: is automatically deallocated if + * this is the final reply. * @in code HTTP code, e.g. 200 * @in reason A brief explanation of the error - if NULL the standard meaning of the error code will be used @@ -248,7 +249,8 @@ httpd_send_reply_end(struct httpd_request *hreq); * which is not possible with evhttp_send_error, because it clears the headers. * Should be thread safe. * - * @in req The http request struct + * @in hreq The http request struct. NOTE: is automatically deallocated if + * this is the final reply. * @in error HTTP code, e.g. 200 * @in reason A brief explanation of the error - if NULL the standard meaning of the error code will be used @@ -256,7 +258,6 @@ httpd_send_reply_end(struct httpd_request *hreq); void httpd_send_error(struct httpd_request *hreq, int error, const char *reason); - void httpd_redirect_to(struct httpd_request *hreq, const char *path);