From a30364189a610058c4915516220ebb4682025d94 Mon Sep 17 00:00:00 2001
From: alexstanoev <alex@ivkoni.com>
Date: Fri, 31 Mar 2017 16:44:11 +0100
Subject: [PATCH] Zero out httpd_state before deallocating

When a connection is aborted by the HTTP server while it's still being processed it is possible to hit a null pointer dereference issue by jumping back to a protothread (outputpt) after its httpd_state has been freed. This can be triggered by sending a POST to any form in the CC26xx web demo server using Firefox.
This patch prevents that by zeroing out httpd_state structs before freeing them, thus also clearing the httpd_state->outputpt field.
Tested using Firefox 55.0a1 on a CC2650 LaunchPad.
---
 examples/cc26xx/cc26xx-web-demo/httpd-simple.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/examples/cc26xx/cc26xx-web-demo/httpd-simple.c b/examples/cc26xx/cc26xx-web-demo/httpd-simple.c
index 9800bbc48..e23e78efe 100644
--- a/examples/cc26xx/cc26xx-web-demo/httpd-simple.c
+++ b/examples/cc26xx/cc26xx-web-demo/httpd-simple.c
@@ -1268,9 +1268,7 @@ appcall(void *state)
 
   if(uip_closed() || uip_aborted() || uip_timedout()) {
     if(s != NULL) {
-      s->script = NULL;
-      s->blen = 0;
-      s->tmp_buf_len = 0;
+      memset(s, 0, sizeof(struct httpd_state));
       memb_free(&conns, s);
     }
   } else if(uip_connected()) {
@@ -1291,7 +1289,7 @@ appcall(void *state)
     if(uip_poll()) {
       if(timer_expired(&s->timer)) {
         uip_abort();
-        s->script = NULL;
+        memset(s, 0, sizeof(struct httpd_state));
         memb_free(&conns, s);
       }
     } else {