From 0461f35f0be43a8ce97e3fc783a165a4b3c5905c Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Thu, 22 Jan 2026 23:57:22 -0800 Subject: [PATCH 1/2] Fully free SocketData while removing Http_Server This fixes a use-after free where a dangling pointer would be left in the ValidSocks klist. --- src/IO/http.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/IO/http.c b/src/IO/http.c index 4d9902f2..d0b70892 100644 --- a/src/IO/http.c +++ b/src/IO/http.c @@ -68,6 +68,7 @@ typedef struct { ChainLink *Info; /* Used for CCC asynchronous operations */ char *connected_to; /* Used for per-server connection limit */ uint_t connect_port; + int SKey; Dstr *https_proxy_reply; } SocketData_t; @@ -168,7 +169,8 @@ static int Http_sock_new(void) { SocketData_t *S = dNew0(SocketData_t, 1); S->SockFD = -1; - return a_Klist_insert(&ValidSocks, S); + S->SKey = a_Klist_insert(&ValidSocks, S); + return S->SKey; } /** @@ -1092,6 +1094,8 @@ static void Http_server_remove(Server_t *srv) while ((sd = dList_nth_data(srv->queue, 0))) { dList_remove_fast(srv->queue, sd); + if (!(sd->flags & HTTP_SOCKET_TO_BE_FREED)) + Http_socket_free(sd->SKey); dFree(sd); } dList_free(srv->queue); @@ -1108,7 +1112,9 @@ static void Http_servers_remove_all(void) while (dList_length(servers) > 0) { srv = (Server_t*) dList_nth_data(servers, 0); while ((sd = dList_nth_data(srv->queue, 0))) { - dList_remove(srv->queue, sd); + dList_remove_fast(srv->queue, sd); + if (!(sd->flags & HTTP_SOCKET_TO_BE_FREED)) + Http_socket_free(sd->SKey); dFree(sd); } Http_server_remove(srv); From 85370b4300ba56d3ddb67ef98cbd19e559645271 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Thu, 22 Jan 2026 23:57:28 -0800 Subject: [PATCH 2/2] Fix use-after-free in openssl cert popup This bug was half-addressed last year in commit 9b6c641, but conn could still be a dangling pointer if ongoing==TRUE. --- src/IO/tls_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/IO/tls_openssl.c b/src/IO/tls_openssl.c index dddde0e8..dd619996 100644 --- a/src/IO/tls_openssl.c +++ b/src/IO/tls_openssl.c @@ -1213,8 +1213,10 @@ static void Tls_connect(int fd, int connkey) * been closed by the server if the user responded too slowly to a popup. */ + conn = a_Klist_get_data(conn_list, connkey); + if (!ongoing) { - if (a_Klist_get_data(conn_list, connkey)) { + if (conn) { conn->connecting = FALSE; if (failed) { conn->in_connect = FALSE;