commit 5e36945a5e19c646c571b6400ed1cb5a0871257f
from: claudio <claudio@openbsd.org>
date: Mon Feb  2 13:37:33 2026 UTC

In server_read_httpchunks() do not blindly enable the bufferevent.

This leads to a use-after-free since the bev->readcb() call could free
the memory holding the bev right before the bufferevent_enable() call.

Reported by Pontus Stenetorp.
OK florian@ rsadowski@

commit - 6fb75f225b8e1b02f81416fe1b987197a37648ef
commit + 5e36945a5e19c646c571b6400ed1cb5a0871257f
blob - 485b67bc5e8079007e2ab36d1d5e4bea70086f49
blob + afdb73f243f7eb2c842352a4ea6475931d9a2246
--- server_http.c
+++ server_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_http.c,v 1.157 2025/12/20 23:12:53 tb Exp $	*/
+/*	$OpenBSD: server_http.c,v 1.158 2026/02/02 13:37:33 claudio Exp $	*/
 
 /*
  * Copyright (c) 2020 Matthias Pressfreund <mpfr@fn.de>
@@ -660,7 +660,8 @@ server_read_httpchunks(struct bufferevent *bev, void *
 		goto done;
 	if (EVBUFFER_LENGTH(src))
 		bev->readcb(bev, arg);
-	bufferevent_enable(bev, EV_READ);
+	else
+		bufferevent_enable(bev, EV_READ);
 	return;
 
  done: