Fix use-after-free in HTTP connection handling

Add HTTP_CON_FLAG_CONNECTING flag to track connection state and prevent accessing freed connection objects during asynchronous operations. Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
2026-02-27 09:53:17 +08:00 · 2025-12-04 11:55:52 +08:00
parent 706eb2046b
commit 7970b5d602
2 changed files with 14 additions and 1 deletions
--- a/src/http.c
+++ b/src/http.c
@@ -213,6 +213,11 @@ static void on_connected(int sock, void *arg)
        return;
    }

+    if (!(conn->flags & HTTP_CON_FLAG_CONNECTING)) {
+        http_conn_free(conn);
+        return;
+    }
+
    ev_io_init(&conn->ior, on_net_read, sock, EV_READ);
    ev_io_start(loop, &conn->ior);

@@ -281,6 +286,11 @@ void http_request(struct rtty *rtty, int len)
        len -= 6;

        if (len == 0) {
+            if (conn->flags & HTTP_CON_FLAG_CONNECTING) {
+                conn->flags &= ~HTTP_CON_FLAG_CONNECTING;
+                return;
+            }
+
            http_conn_free(conn);
            return;
        }
@@ -304,6 +314,8 @@ void http_request(struct rtty *rtty, int len)
    if (https)
        conn->flags |= HTTP_CON_FLAG_HTTPS;

+    conn->flags |= HTTP_CON_FLAG_CONNECTING;
+
    memcpy(conn->addr, addr, 18);

    data = buffer_put(&conn->wb, len);
--- a/src/http.h
+++ b/src/http.h
@@ -28,7 +28,8 @@
 #include "rtty.h"

 enum {
-    HTTP_CON_FLAG_HTTPS = 1 << 0
+    HTTP_CON_FLAG_HTTPS = 1 << 0,
+    HTTP_CON_FLAG_CONNECTING = 1 << 1,
 };

 struct http_connection {