h2o -- use after free on premature connection close

ID 65BB1858-27DE-11E6-B714-74D02B9A84D5
Type freebsd
Reporter FreeBSD
Modified 2016-05-17T00:00:00


Tim Newsha reports:

When H2O tries to disconnect a premature HTTP/2 connection, it calls free(3) to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the memory is touched. Fixed by Frederik Deweerdt.