Fix a use-after-free bug in peerDigestFetchReply() (#1865)

The problem occurred when handling an HTTP 304 cache digest response.

Also removed effectively unused DIGEST_READ_DONE enum value.

diff --git a/src/enums.h b/src/enums.h
index e852ba4418d613bf97c395adbcf3e191abfd32e8..0ac7f3d82f677accfe06d8e0e2b1ecd4c9be2d36 100644 (file)
--- a/src/enums.h
+++ b/src/enums.h
@@ -198,8 +198,7 @@ typedef enum {
     DIGEST_READ_NONE,
     DIGEST_READ_REPLY,
     DIGEST_READ_CBLOCK,
-    DIGEST_READ_MASK,
-    DIGEST_READ_DONE
+    DIGEST_READ_MASK
 } digest_read_state_t;
 
 /* CygWin & Windows NT Port */

diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 0f375ac4c7968072ee26ee4a10f227a0d50be13b..089a2db87801a4d0997afb2ec0f9115027091626 100644 (file)
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -386,10 +386,6 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
         case DIGEST_READ_NONE:
             break;
 
-        case DIGEST_READ_DONE:
-            return;
-            break;
-
         default:
             fatal("Bad digest transfer mode!\n");
         }
@@ -491,7 +487,7 @@ peerDigestFetchReply(void *data, char *buf, ssize_t size)
 
             // stay with the old in-memory digest
             peerDigestFetchStop(fetch, buf, "Not modified");
-            fetch->state = DIGEST_READ_DONE;
+            return -1;
         } else if (status == Http::scOkay) {
             /* get rid of old entry if any */