Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
fix use after free on premature connection close (CVE-2016-4817) #920
A use-after-free vulnerability has been reported by Tim Newsham and fixed by Frederik Deweerdt.
CVE-ID for this issue is CVE-2016-4817. The issue has been fixed in version 1.7.3 and version 2.0.0-beta5. Users are encouraged to update to the latest versions.
The issue is that when H2O tries to disconnect a premature HTTP/2 connection, it calls free(3) to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the memory is touched.
Therefore, it is estimated that the exploitability of the issue depends on if an attacker can overwrite the memory chunk at the appropriate moment from another thread (note: the number of threads used to accept incoming connections are governed by num-threads configuration directive).
In case the issue is exploitable, then it would mean that a remote attacker can mount a DoS attack against H2O, or at worst result in remote code execution.
We would like to thank the aforementioned people for finding and fixing the issue.
May 26, 2016
added a commit
this pull request
May 26, 2016
waiting on https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209926 to commit this to ports.