search

babelouest / ulfius

Web Framework to build REST APIs, Webservices or any HTTP endpoint in C language. Can stream large amount of data, integrate JSON data with Jansson, and create websocket services
https://babelouest.github.io/ulfius
GNU Lesser General Public License v2.1
1.08k stars 182 forks source link

[Issue] A use after free bug in src/ulfius.c #260

Closed ShangzhiXu closed 1 year ago

ShangzhiXu commented 1 year ago

Describe the issue In function ulfius_webservice_dispatcher, at line 657, ulfius_init_websocket(websocket) will be called, and if it fails, line 823, ulfius_clear_websocket will be called, which will lead to a UAF bug.

To be specific

In src/u_websocket.c at line 1728, if ulfius_init_websocket_manager(websocket->websocket_manager) fails, then websocket->websocket_manager will be freed at line 1729 and return U_ERROR.

After return, the branch command at line 657 in src/ulfius.c will go to the else branch and setwebsocket_has_error = 1, which will lead to ulfius_clear_websocket be called at line 823

To Reproduce I found it by static analysis~

babelouest commented 1 year ago

Hello,

Thanks for the issue, it should be fixed in https://github.com/babelouest/ulfius/commit/adf5f0531a7ff7f3f542d5c4fbdb341ef5113cd3