Use-after-free in AsyncWebServerRequest::_removeNotInterestingHeaders

[depau]

Hi,
While running my code with Valgrind in an effort to troubleshoot memory-corruption issues I noticed there's a use-after-free error in this library's code.

Here the function iterates over a linked list of headers, and removes not-interesting ones from the list.
https://github.com/me-no-dev/ESPAsyncWebServer/blob/master/src/WebRequest.cpp#L183-L186

Here, the linked list's remove method correctly updates the next pointer and frees the removed item:

https://github.com/me-no-dev/ESPAsyncWebServer/blob/master/src/StringArray.h#L120-L132

However, if an item is deleted during iteration, the iterator still holds a reference to its memory, and it still uses it to retrieve the next pointer:

https://github.com/me-no-dev/ESPAsyncWebServer/blob/master/src/StringArray.h#L53

While this works in most cases and particularly on the ESP MCUs, on my testing setup I get a nice SIGSEGV.

A potential fix could be retrieving the next pointer ahead of time and storing it in the iterator. Then in operator++ replace it with the "next-next" pointer and return the stored next pointer. This should make deleting the current item safe.

---

(If you're wondering how the hell I'm running it with valgrind, I stubbed all the Arduino calls and patched ESPAsyncTCP to use the POSIX socket API, and I'm running my application as a regular Linux program)

[depau]

This branch has all my pull requests: https://github.com/Depau/ESPAsyncWebServer/tree/wi-se-patches

…

On Tue, May 25, 2021, 09:12 zekageri ***@***.***> wrote: Do you have a fork to try with the fixes? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#951 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIZCWIV32N3VR5JSBU5LEDTPNEWRANCNFSM4YX3HCKA> .

[zekageri]

Thanks. I found one before but I think it wasnt that one. I will try it. Iam experiencing random crashes on my esp and it seems it is because this linked list problem. I cant debug because its remote and I cant put serial to it

[depau]

If you'd like to run your ESP application on a Linux computer, I wrote a bunch of stubs to do so: https://github.com/Depau/wi-se-sw/tree/main/fakeesp This is what allowed me to run this library with Valgrind/GDB and find the issues.

YMMV though, and I don't have time to provide any supports on them. Feel free to do whatever you want with the code, if you have any improvements lmk.

[zekageri]

Thank you for the help. Your version of the library seems pretty stable. It runs almost 4 days straight now.
I got a crash like in 20 hours before. But i really get stable consistent file servings and client connection/disconnetions. I will look at your linux thingy too.
I really appreciate these and hope Me_no_Dev will see your fixes

[stale]

[STALE_SET] This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[depau]

Unstale, still waiting for this to be reviewed

[stale]

[STALE_CLR] This issue has been removed from the stale queue. Please ensure activity to keep it openin the future.

[brandonros]

@depau can you please pull latest me-no-dev master into your ``wi-se-patches` branch and push? It does not build otherwise.