From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 12 May 2015 14:26:42 +0000 (+0100)
Subject: Fix zero-copy mode in lua_http (double free).
X-Git-Tag: 0.9.0~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=780bb6dfaefc471f4b8d2100642a2c1af6a2623b;p=thirdparty%2Frspamd.git

Fix zero-copy mode in lua_http (double free).
---

diff --git a/src/libutil/http.c b/src/libutil/http.c
index ff43ebd11f..5e589afc29 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -1592,7 +1592,7 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
 		}
 		if (msg->body != NULL) {
 
-			if (msg->body_buf.str == NULL) {
+			if (msg->body_buf.str == NULL && msg->body_buf.len == 0) {
 				msg->body_buf.str = msg->body->str;
 			}
 			priv->out[i].iov_base = pbody;
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 7e48b7fd63..1baef5ed49 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -410,6 +410,8 @@ lua_http_request (lua_State *L)
 				msg->body = g_string_new (NULL);
 				msg->body->str = (gchar *)t->start;
 				msg->body->len = t->len;
+				/* It is not safe unless we set len to avoid body_buf to be freed */
+				msg->body_buf.len = t->len;
 			}
 		}