scheduler: Fix possible use_after_free in cupsdReadClient()

zdohnal · zdohnal · commit 398fc2cd3881 · 2025-12-12T08:03:38.000+01:00
If cupsdSendHeader() fails, we free the connection and return -1, but in
that case we try to free the connection again in cupsdReadClient().
diff --git a/CHANGES.md b/CHANGES.md
@@ -7,6 +7,7 @@ Changes in CUPS v2.4.17 (YYYY-MM-DD)
 
 - The scheduler followed symbolic links when cleaning out its temporary
   directory (Issue #1448)
+- Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454)
 
 
 Changes in CUPS v2.4.16 (2025-12-04)
diff --git a/scheduler/client.c b/scheduler/client.c
@@ -2752,10 +2752,7 @@ check_start_tls(cupsd_client_t *con)	/* I - Client connection */
     httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
 
     if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
-    {
-      cupsdCloseClient(con);
       return (-1);
-    }
   }
 
   return (1);

Original file line number	Diff line number	Diff line change
`@@ -2752,10 +2752,7 @@ check_start_tls(cupsd_client_t con) / I - Client connection */`
`2752`	`2752`	`httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");`
`2753`	`2753`
`2754`	`2754`	`if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))`
`2755`		`- {`
`2756`		`- cupsdCloseClient(con);`
`2757`	`2755`	`return (-1);`
`2758`		`- }`
`2759`	`2756`	`}`
`2760`	`2757`
`2761`	`2758`	`return (1);`