Hello! Find attached two patches, which each fix a use-after-free bug. I've also attached a crashing html document for each, but please be aware that these reproducer documents link urls from external web servers. The reproducers crash reliably on my x86_64 Void Linux laptop, but I've not tested them elsewhere. I've also attached a crash log with asan reporting of each. Thank you -Magnus L p.s. I've also opened github PR 449 with these same changes, but figured I should send the patches via email as well-- if only for practice :)
Hi Magnus, On Sat, Jan 24, 2026 at 11:13:25AM -0800, Nopey Nope wrote:
Hello!
Find attached two patches, which each fix a use-after-free bug.
I've also attached a crashing html document for each, but please be aware that these reproducer documents link urls from external web servers. The reproducers crash reliably on my x86_64 Void Linux laptop, but I've not tested them elsewhere. I've also attached a crash log with asan reporting of each.
Thank you -Magnus L
p.s. I've also opened github PR 449 with these same changes, but figured I should send the patches via email as well-- if only for practice :)
Thanks a lot for the patches and reproducers! I saw the PR but I only had time to look at the "Fix use-after-free in openssl cert popup" commit which seems good. We are moving away from GitHub so it would be nice to send future patches here (or a link to a git repo/branch to fetch with git). It would help to describe what is the condition that triggers the UAF in the Http_server patch and why the change helps, so that it is easier to review. Perhaps it would be a good idea to put that information it in the commit summary of both patches so we can see it via git blame. Best, Rodrigo.
Thanks for the guidance, Rodrigo! Had a better idea on how to fix the socketdata use-after-free; new attached patch 0002 fixes the bug by only freeing the queued sockdata if it's exclusively owned by the server queue. I've added information in the commit summaries as suggested. I also added an assert in Http_socket_enqueue, which makes explicit the precondition that socketdata can only be queued to one server at a time. This assert has not tripped, and hopefully never will; I thought it helped illustrate the relation between servers and socketdatas. Magnus On Sat, Jan 24, 2026 at 2:10 PM Rodrigo Arias <rodarima@gmail.com> wrote:
Hi Magnus,
On Sat, Jan 24, 2026 at 11:13:25AM -0800, Nopey Nope wrote:
Hello!
Find attached two patches, which each fix a use-after-free bug.
I've also attached a crashing html document for each, but please be aware that these reproducer documents link urls from external web servers. The reproducers crash reliably on my x86_64 Void Linux laptop, but I've not tested them elsewhere. I've also attached a crash log with asan reporting of each.
Thank you -Magnus L
p.s. I've also opened github PR 449 with these same changes, but figured I should send the patches via email as well-- if only for practice :)
Thanks a lot for the patches and reproducers!
I saw the PR but I only had time to look at the "Fix use-after-free in openssl cert popup" commit which seems good. We are moving away from GitHub so it would be nice to send future patches here (or a link to a git repo/branch to fetch with git).
It would help to describe what is the condition that triggers the UAF in the Http_server patch and why the change helps, so that it is easier to review.
Perhaps it would be a good idea to put that information it in the commit summary of both patches so we can see it via git blame.
Best, Rodrigo. _______________________________________________ Dillo-dev mailing list -- dillo-dev@mailman3.com To unsubscribe send an email to dillo-dev-leave@mailman3.com
participants (2)
-
Nopey Nope -
Rodrigo Arias