From 7970b5d6020bb85a1d2901ef277da0c17605769d Mon Sep 17 00:00:00 2001
From: Jianhui Zhao <zhaojh329@gmail.com>
Date: Thu, 4 Dec 2025 11:55:52 +0800
Subject: [PATCH] Fix use-after-free in HTTP connection handling

Add HTTP_CON_FLAG_CONNECTING flag to track connection state and prevent
accessing freed connection objects during asynchronous operations.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
---
 src/http.c | 12 ++++++++++++
 src/http.h |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/http.c b/src/http.c
index 3585484..61a7696 100644
--- a/src/http.c
+++ b/src/http.c
@@ -213,6 +213,11 @@ static void on_connected(int sock, void *arg)
         return;
     }
 
+    if (!(conn->flags & HTTP_CON_FLAG_CONNECTING)) {
+        http_conn_free(conn);
+        return;
+    }
+
     ev_io_init(&conn->ior, on_net_read, sock, EV_READ);
     ev_io_start(loop, &conn->ior);
 
@@ -281,6 +286,11 @@ void http_request(struct rtty *rtty, int len)
         len -= 6;
 
         if (len == 0) {
+            if (conn->flags & HTTP_CON_FLAG_CONNECTING) {
+                conn->flags &= ~HTTP_CON_FLAG_CONNECTING;
+                return;
+            }
+
             http_conn_free(conn);
             return;
         }
@@ -304,6 +314,8 @@ void http_request(struct rtty *rtty, int len)
     if (https)
         conn->flags |= HTTP_CON_FLAG_HTTPS;
 
+    conn->flags |= HTTP_CON_FLAG_CONNECTING;
+
     memcpy(conn->addr, addr, 18);
 
     data = buffer_put(&conn->wb, len);
diff --git a/src/http.h b/src/http.h
index dbfccdd..4548028 100644
--- a/src/http.h
+++ b/src/http.h
@@ -28,7 +28,8 @@
 #include "rtty.h"
 
 enum {
-    HTTP_CON_FLAG_HTTPS = 1 << 0
+    HTTP_CON_FLAG_HTTPS = 1 << 0,
+    HTTP_CON_FLAG_CONNECTING = 1 << 1,
 };
 
 struct http_connection {