Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Thorsten Glaser <tg <at> mirbsd.de>
Subject: Re: use-after-free bug in cookie handling
Newsgroups: gmane.comp.web.lynx.devel
Date: Thursday 13th August 2015 23:04:55 UTC (over 2 years ago)
Dixi quod…

>This looks like the classical “object removed from list, free’d,
>then used to continue traversing the list” bug. And, indeed, there
>is a call to HTList_removeObject() in the loop!

Funnily enough, LYAddCookieHeader() in the same file appears to have
been rewritten to address this precise issue.

The control flow in this function differs, therefore I propose the
following rather minimal-invasive patch: after a removal, the loop
header is skipped (duplicating the abort logic, but whatever).

I’ll be running lynx with that patch applied for a while now.

Index: src/LYCookie.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/src/LYCookie.c,v
retrieving revision 1.1.109.9
diff -u -p -r1.1.109.9 LYCookie.c
--- src/LYCookie.c	19 Feb 2012 18:29:34 -0000	1.1.109.9
+++ src/LYCookie.c	13 Aug 2015 23:03:47 -0000
@@ -723,6 +723,7 @@ static char *scan_cookie_sublist(char *h
 
     sprintf(crlftab, "%c%c%c", CR, LF, '\t');
     for (hl = sublist; hl != NULL; hl = hl->next) {
+ continue_after_removal:
 	co = (cookie *) hl->object;
 
 	if (co == NULL) {
@@ -752,10 +753,13 @@ static char *scan_cookie_sublist(char *h
 	 */
 	if ((co->flags & COOKIE_FLAG_EXPIRES_SET) &&
 	    co->expires <= now) {
+	    hl = hl->next;
 	    HTList_removeObject(sublist, co);
 	    freeCookie(co);
 	    total_cookies--;
-	    continue;
+	    if (hl)
+		goto continue_after_removal;
+	    break;
 	}
 
 	/*

Enjoy,
//mirabilos
-- 
> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine

_______________________________________________
Lynx-dev mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/lynx-dev
 
CD: 3ms