From 74673dbc9ac27018aabfa059349406e3cc60e114 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Mon, 2 Sep 2024 17:21:55 +0200 Subject: [PATCH] lb/TranslationHttpRequestHandler: free the TranslateResponse, fixing more UAF bugs See commit acda23319fda8cf43c1ad006b964e107a6ee8462 --- src/lb/TranslationHttpRequestHandler.cxx | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/lb/TranslationHttpRequestHandler.cxx b/src/lb/TranslationHttpRequestHandler.cxx index f2b0d35bb..cde9ebfd5 100644 --- a/src/lb/TranslationHttpRequestHandler.cxx +++ b/src/lb/TranslationHttpRequestHandler.cxx @@ -89,6 +89,7 @@ LbHttpRequest::OnTranslateResponse(UniquePoolPtr _response) n const char *host = rl.host; if (host == nullptr) { + _response.reset(); _request.SendMessage(HttpStatus::BAD_REQUEST, "No Host header"sv); return; } @@ -101,10 +102,13 @@ LbHttpRequest::OnTranslateResponse(UniquePoolPtr _response) n if (msg == nullptr) msg = "This page requires \"https\""; + const auto https_only = response.https_only; + _response.reset(); + _request.SendRedirect(status, MakeHttpsRedirect(AllocatorPtr{_request.pool}, host, - response.https_only, + https_only, _request.uri), msg); } else if (response.status != HttpStatus{} || @@ -124,6 +128,7 @@ LbHttpRequest::OnTranslateResponse(UniquePoolPtr _response) n } else if (response.pool != nullptr) { auto *destination = handler.FindDestination(response.pool); if (destination == nullptr) { + _response.reset(); Destroy(); c.LogSendError(_request, @@ -135,6 +140,8 @@ LbHttpRequest::OnTranslateResponse(UniquePoolPtr _response) n if (response.canonical_host != nullptr) rl.canonical_host = response.canonical_host; + _response.reset(); + request.body = std::move(request_body); auto &_caller_cancel_ptr = caller_cancel_ptr; @@ -142,6 +149,7 @@ LbHttpRequest::OnTranslateResponse(UniquePoolPtr _response) n c.HandleHttpRequest(*destination, _request, {}, _caller_cancel_ptr); } else { + _response.reset(); Destroy(); c.LogSendError(_request,