[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] use-after-free bug in cookie handling
|
From: |
Thorsten Glaser |
|
Subject: |
Re: [Lynx-dev] use-after-free bug in cookie handling |
|
Date: |
Thu, 13 Aug 2015 23:04:55 +0000 (UTC) |
Dixi quod…
>This looks like the classical “object removed from list, free’d,
>then used to continue traversing the list” bug. And, indeed, there
>is a call to HTList_removeObject() in the loop!
Funnily enough, LYAddCookieHeader() in the same file appears to have
been rewritten to address this precise issue.
The control flow in this function differs, therefore I propose the
following rather minimal-invasive patch: after a removal, the loop
header is skipped (duplicating the abort logic, but whatever).
I’ll be running lynx with that patch applied for a while now.
Index: src/LYCookie.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/src/LYCookie.c,v
retrieving revision 1.1.109.9
diff -u -p -r1.1.109.9 LYCookie.c
--- src/LYCookie.c 19 Feb 2012 18:29:34 -0000 1.1.109.9
+++ src/LYCookie.c 13 Aug 2015 23:03:47 -0000
@@ -723,6 +723,7 @@ static char *scan_cookie_sublist(char *h
sprintf(crlftab, "%c%c%c", CR, LF, '\t');
for (hl = sublist; hl != NULL; hl = hl->next) {
+ continue_after_removal:
co = (cookie *) hl->object;
if (co == NULL) {
@@ -752,10 +753,13 @@ static char *scan_cookie_sublist(char *h
*/
if ((co->flags & COOKIE_FLAG_EXPIRES_SET) &&
co->expires <= now) {
+ hl = hl->next;
HTList_removeObject(sublist, co);
freeCookie(co);
total_cookies--;
- continue;
+ if (hl)
+ goto continue_after_removal;
+ break;
}
/*
Enjoy,
//mirabilos
--
> Wish I had pine to hand :-( I'll give lynx a try, thanks.
Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine