[Libwebsockets] [libwebsockets] #99: client.c: double free during cleanup (bail2)

Trac trac at libwebsockets.org
Sun Feb 1 00:16:02 CET 2015


#99: client.c: double free during cleanup (bail2)
-----------------------------------+-----------------
 Reporter:  dj1yfk                 |      Owner:
     Type:  defect                 |     Status:  new
 Priority:  minor                  |  Milestone:
Component:  libwebsockets library  |    Version:
 Keywords:                         |
-----------------------------------+-----------------
 Some errors (e.g. fail protocol) in the function
 "lws_client_interpret_server_handshake" (from client.c), will cause a
 "goto bail2;" where things are cleaned up.

 At the end of bail2, first "lws_free(wsi->u.hdr.ah);" is executed, then
 "libwebsocket_close_and_free_session(context, wsi, close_reason);" which
 calls "lws_free_header_table(wsi)" which ultimately calls
 "lws_free2(wsi->u.hdr.ah);". This result in a crash:

 [1422641278:7626] ERR: lws_client_int_s_hs: fail protocol dumb-increment-
 protocol
 *** glibc detected *** libwebsockets-test-client: double free or
 corruption (!prev): 0x08b5e778 ***

 Using lws_free2(wsi->u.hdr.ah) instead of lws_free() or adding
 "wsi->u.hdr.ah = NULL;" right after lws_free(wsi->u.hdr.ah) in
 client.c:797 solves this problem.

 In my case, this was triggered when a server (not using libwebsocket)
 responded with an invalid "Sec-WebSocket-Protocol" header to an upgrade
 request. To reproduce the problem without a "broken" server, it's probably
 easiest just to force the "goto bail2" in client.c:593 (latest git
 master).

--
Ticket URL: <http://libwebsockets.org/trac/libwebsockets/ticket/99>
libwebsockets <http://libwebsockets.org>
libwebsockets C library



More information about the Libwebsockets mailing list