Bug #14136: Heap-use-after-free in HTTP keep-alive connection handling - Wt - Redmine

Actions

Copy link

Bug #14136

open

Heap-use-after-free in HTTP keep-alive connection handling

Added by Aleksei Davydov 14 days ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

Start date:

11/24/2025

Due date:

% Done:

Estimated time:

Description

Heap-use-after-free was found with ASAN on client disconnect during fuzz-testing with raw TCP packats (AFL++).

PR with fix proposal and details on GitHub: https://github.com/emweb/wt/pull/235

Trigger Scenario

Client sends an HTTP request
Server processes it and starts sending response
Client closes connection
handleWriteResponse() is called to clean up for next keep-alive request
rcv_remaining_ points to a deleted buffer → heap-use-after-free in RequestParser::consume()

ASAN Report (first line)
==8==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000000306
READ of size 1 at 0x625000000306 thread T4
#0 in http::server::RequestParser::consume() RequestParser.C:857

Please check Github PR for more info

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Wt

Bug #14136

Heap-use-after-free in HTTP keep-alive connection handling