FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- use after free on premature connection close

Affected packages
h2o < 1.7.3

Details

VuXML ID 65bb1858-27de-11e6-b714-74d02b9a84d5
Discovery 2016-05-17
Entry 2016-06-01

Tim Newsha reports:

When H2O tries to disconnect a premature HTTP/2 connection, it calls free(3) to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the memory is touched. Fixed by Frederik Deweerdt.

References

URL https://h2o.examp1e.net/vulnerabilities.html