From d50f4abad9caa145345db6418b1e5f415430803f Mon Sep 17 00:00:00 2001 From: AnaLGiN83 Date: Wed, 19 Nov 2025 14:46:31 +0300 Subject: [PATCH] Fix heap-use-after-free in HTTP keep-alive connection handling This fixes a memory safety issue in Connection::handleWriteResponse() that occurs when handling HTTP keep-alive connections. The bug: After removing old receive buffers via pop_front(), the pointer rcv_remaining_ could still point to data in a deleted buffer. The original condition only checked if rcv_remaining_ was less than the buffer end, but did not verify it was within the bounds of the remaining buffer. The fix: Add proper bounds checking to ensure rcv_remaining_ points inside the remaining buffer before dereferencing it in handleReadRequest0(). Discovered via AFL++ fuzzing with AddressSanitizer. --- src/http/Connection.C | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/http/Connection.C b/src/http/Connection.C index 5c7bfd03e..42ab528be 100644 --- a/src/http/Connection.C +++ b/src/http/Connection.C @@ -486,7 +486,8 @@ void Connection::handleWriteResponse(ReplyPtr reply) while (rcv_buffers_.size() > 1) rcv_buffers_.pop_front(); - if (rcv_remaining_ < rcv_buffers_.back().data() + rcv_buffer_size_) + if (rcv_remaining_ >= rcv_buffers_.back().data() && + rcv_remaining_ < rcv_buffers_.back().data() + rcv_buffer_size_) handleReadRequest0(); else startAsyncReadRequest(rcv_buffers_.back(), KEEPALIVE_TIMEOUT);