Actions
Bug #14136
closedHeap-use-after-free in HTTP keep-alive connection handling
Start date:
11/24/2025
Due date:
% Done:
0%
Estimated time:
Description
Heap-use-after-free was found with ASAN on client disconnect during fuzz-testing with raw TCP packats (AFL++).
PR with fix proposal and details on GitHub: https://github.com/emweb/wt/pull/235
Trigger Scenario
- Client sends an HTTP request
- Server processes it and starts sending response
- Client closes connection
- handleWriteResponse() is called to clean up for next keep-alive request
- rcv_remaining_ points to a deleted buffer → heap-use-after-free in RequestParser::consume()
ASAN Report (first line)
==8==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000000306
READ of size 1 at 0x625000000306 thread T4
#0 in http::server::RequestParser::consume() RequestParser.C:857
Please check Github PR for more info
Updated by Romain Mardulyn about 2 months ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
- Target version set to 4.12.4
Updated by Romain Mardulyn about 2 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Romain Mardulyn)
Updated by Matthias Van Ceulebroeck about 1 month ago
- Assignee set to Matthias Van Ceulebroeck
Updated by Romain Mardulyn about 1 month ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Matthias Van Ceulebroeck to Romain Mardulyn
- Private changed from No to Yes
Updated by Romain Mardulyn about 1 month ago
- Target version changed from 4.12.4 to 4.12.3
Updated by Romain Mardulyn about 1 month ago
- Status changed from Implemented @Emweb to Closed
- Private changed from Yes to No
Actions