From 05a595f74559f45a1d46f7457c484012b4f83f1a Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Wed, 1 Mar 2017 22:08:05 +0100
Subject: [PATCH] httpd: LWIP_HTTPD_POST_MANUAL_WND: fixed double-free when
 httpd_post_data_recved is called nested from httpd_post_receive_data() (bug
 #50424)

---
 CHANGELOG              | 6 +++++-
 src/apps/httpd/httpd.c | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index d435a30a..ae69d00f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -29,8 +29,12 @@ HISTORY
 
   ++ Bugfixes:
 
+  2017-03-01: Simon Goldschmidt
+  * httpd: LWIP_HTTPD_POST_MANUAL_WND: fixed double-free when httpd_post_data_recved
+    is called nested from httpd_post_receive_data() (bug #50424)
+
   2017-02-28: David van Moolenbroek/Simon Goldschmidt
-  tcp: fixed bug #50418: LWIP_EVENT_API: fix invalid calbacks for SYN_RCVD pcb
+  * tcp: fixed bug #50418: LWIP_EVENT_API: fix invalid calbacks for SYN_RCVD pcb
 
   2017-02-24: Simon Goldschmidt
   * sockets.c: fixed close race conditions in lwip_select (for LWIP_NETCONN_FULLDUPLEX)
diff --git a/src/apps/httpd/httpd.c b/src/apps/httpd/httpd.c
index 7c2dfe62..43195d7c 100644
--- a/src/apps/httpd/httpd.c
+++ b/src/apps/httpd/httpd.c
@@ -1692,7 +1692,14 @@ http_post_rxpbuf(struct http_state *hs, struct pbuf *p)
       hs->post_content_len_left -= p->tot_len;
     }
   }
+#if LWIP_HTTPD_SUPPORT_POST && LWIP_HTTPD_POST_MANUAL_WND
+  /* prevent connection being closed if httpd_post_data_recved() is called nested */
+  hs->unrecved_bytes++;
+#endif
   err = httpd_post_receive_data(hs, p);
+#if LWIP_HTTPD_SUPPORT_POST && LWIP_HTTPD_POST_MANUAL_WND
+  hs->unrecved_bytes--;
+#endif
   if (err != ERR_OK) {
     /* Ignore remaining content in case of application error */
     hs->post_content_len_left = 0;