Fix use after free in HTTPS listener on non-windows.

The boost examples for ssl::stream all use stack allocated contexts and streams; considering that the ssl::context is noncopyable, it seems that its lifetime must exceed any streams.
jasonsandlin · Mar 5, 2016 · ef8e748 · ef8e748
1 parent 5f75ec9
commit ef8e748
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/Release/include/cpprest/details/http_server_asio.h b/Release/include/cpprest/details/http_server_asio.h
@@ -72,6 +72,7 @@ class connection
     bool m_chunked;
     std::atomic<int> m_refs; // track how many threads are still referring to this
 
+    std::unique_ptr<boost::asio::ssl::context> m_ssl_context;
     std::unique_ptr<boost::asio::ssl::stream<boost::asio::ip::tcp::socket&>> m_ssl_stream;
 
 public:
@@ -85,9 +86,11 @@ class connection
     {
         if (is_https)
         {
-            boost::asio::ssl::context ssl_context(boost::asio::ssl::context::sslv23);
-            ssl_context_callback(ssl_context);
-            m_ssl_stream = utility::details::make_unique<boost::asio::ssl::stream<boost::asio::ip::tcp::socket&>>(*m_socket, ssl_context);
+            m_ssl_context = utility::details::make_unique<boost::asio::ssl::context>(boost::asio::ssl::context::sslv23);
+            ssl_context_callback(*m_ssl_context);
+            m_ssl_stream = utility::details::make_unique<boost::asio::ssl::stream<boost::asio::ip::tcp::socket&>>(*m_socket, *m_ssl_context);
+            m_ssl_stream = utility::details::make_unique<boost::asio::ssl::stream<boost::asio::ip::tcp::socket&>>(*m_socket, *m_ssl_context);
+
             m_ssl_stream->async_handshake(boost::asio::ssl::stream_base::server, [this](const boost::system::error_code&) { this->start_request_response(); });
         }
         else