From 7d259d885af98716071e445b4030e4d2d93f24cd Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Fri, 13 May 2016 11:00:45 +0800
Subject: [PATCH] access_log ensure no reuse of freed log area

Valgrind caught http/1.1 pipelining using dead user agent alloc
for logging... NULL it when we free it since the wsi can be
reused with keepalive

==16208== Invalid free() / delete / delete[] / realloc()
==16208==    at 0x4847ACC: free (vg_replace_malloc.c:530)
==16208==    by 0x4888DC3: _realloc (alloc.c:8)
==16208==    by 0x4888DFF: lws_realloc (alloc.c:16)
==16208==    by 0x487DBCB: lws_access_log (libwebsockets.c:2352)
==16208==    by 0x48956DF: lws_http_transaction_completed (server.c:1245)
==16208==    by 0x4893757: lws_http_serve (server.c:340)
==16208==    by 0x48946EF: lws_http_action (server.c:748)
==16208==    by 0x4894CEF: lws_handshake_server (server.c:900)
==16208==    by 0x48786BF: lws_read (handshake.c:120)
==16208==    by 0x4896103: lws_server_socket_service (server.c:1580)
==16208==    by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208==    by 0x48803B7: lws_service_fd (service.c:1079)
==16208==  Address 0x552e5f8 is 0 bytes inside a block of size 86 free'd
==16208==    at 0x4847ACC: free (vg_replace_malloc.c:530)
==16208==    by 0x4888DC3: _realloc (alloc.c:8)
==16208==    by 0x4888DFF: lws_realloc (alloc.c:16)
==16208==    by 0x487DBCB: lws_access_log (libwebsockets.c:2352)
==16208==    by 0x48956DF: lws_http_transaction_completed (server.c:1245)
==16208==    by 0x4893757: lws_http_serve (server.c:340)
==16208==    by 0x48946EF: lws_http_action (server.c:748)
==16208==    by 0x4894CEF: lws_handshake_server (server.c:900)
==16208==    by 0x48786BF: lws_read (handshake.c:120)
==16208==    by 0x4896103: lws_server_socket_service (server.c:1580)
==16208==    by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208==    by 0x48803B7: lws_service_fd (service.c:1079)
==16208==  Block was alloc'd at
==16208==    at 0x4846498: malloc (vg_replace_malloc.c:298)
==16208==    by 0x4848D57: realloc (vg_replace_malloc.c:785)
==16208==    by 0x4888DA7: _realloc (alloc.c:6)
==16208==    by 0x4888DFF: lws_realloc (alloc.c:16)
==16208==    by 0x4893EAF: lws_http_action (server.c:565)
==16208==    by 0x4894CEF: lws_handshake_server (server.c:900)
==16208==    by 0x48786BF: lws_read (handshake.c:120)
==16208==    by 0x4896103: lws_server_socket_service (server.c:1580)
==16208==    by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208==    by 0x48803B7: lws_service_fd (service.c:1079)
==16208==    by 0x48994B7: lws_io_cb (libuv.c:101)
==16208==    by 0x4AE7B1F: ??? (in /usr/lib/libuv.so.1.0.0)


Signed-off-by: Andy Green <andy@warmcat.com>
---
 lib/libwebsockets.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index b2046ba7..19608d76 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2333,6 +2333,9 @@ lws_access_log(struct lws *wsi)
 	if (!wsi->access_log_pending)
 		return 0;
 
+	if (!wsi->access_log.header_log)
+		return 0;
+
 	if (!p)
 		p = "";
 
@@ -2346,10 +2349,14 @@ lws_access_log(struct lws *wsi)
 	} else
 		lwsl_err("%s", ass);
 
-	if (wsi->access_log.header_log)
+	if (wsi->access_log.header_log) {
 		lws_free(wsi->access_log.header_log);
-	if (wsi->access_log.user_agent)
+		wsi->access_log.header_log = NULL;
+	}
+	if (wsi->access_log.user_agent) {
 		lws_free(wsi->access_log.user_agent);
+		wsi->access_log.user_agent = NULL;
+	}
 	wsi->access_log_pending = 0;
 
 	return 0;