From ab1f58204388002d22e2ff042ae086096dbb1bd7 Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Tue, 10 Oct 2023 20:40:42 +0200
Subject: [PATCH] httpd: fix bug #64458: When tcp_err() is invoked, tcp_pcb is
 freed but httpd_post_finished() is not called by httpd.c

---
 src/apps/http/httpd.c | 44 ++++++++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/src/apps/http/httpd.c b/src/apps/http/httpd.c
index 56e8cad4..3e9d2348 100644
--- a/src/apps/http/httpd.c
+++ b/src/apps/http/httpd.c
@@ -471,6 +471,32 @@ http_state_alloc(void)
   return ret;
 }
 
+/** Make sure the post code knows that the connection is closed */
+static void
+http_state_close_post(struct http_state* hs)
+{
+#if LWIP_HTTPD_SUPPORT_POST
+  if (hs != NULL) {
+    if ((hs->post_content_len_left != 0)
+#if LWIP_HTTPD_POST_MANUAL_WND
+      || ((hs->no_auto_wnd != 0) && (hs->unrecved_bytes != 0))
+#endif /* LWIP_HTTPD_POST_MANUAL_WND */
+      ) {
+      /* prevent calling httpd_post_finished twice */
+      hs->post_content_len_left = 0;
+#if LWIP_HTTPD_POST_MANUAL_WND
+      hs->unrecved_bytes = 0;
+#endif /* LWIP_HTTPD_POST_MANUAL_WND */
+      /* make sure the post code knows that the connection is closed */
+      http_uri_buf[0] = 0;
+      httpd_post_finished(hs, http_uri_buf, LWIP_HTTPD_URI_BUF_LEN);
+    }
+  }
+#else /* LWIP_HTTPD_SUPPORT_POST*/
+  LWIP_UNUSED_ARG(hs);
+#endif /* LWIP_HTTPD_SUPPORT_POST*/
+}
+
 /** Free a struct http_state.
  * Also frees the file data if dynamic.
  */
@@ -505,6 +531,7 @@ http_state_eof(struct http_state *hs)
     hs->req = NULL;
   }
 #endif /* LWIP_HTTPD_SUPPORT_REQUESTLIST */
+  http_state_close_post(hs);
 }
 
 /** Free a struct http_state.
@@ -598,20 +625,7 @@ http_close_or_abort_conn(struct altcp_pcb *pcb, struct http_state *hs, u8_t abor
   err_t err;
   LWIP_DEBUGF(HTTPD_DEBUG, ("Closing connection %p\n", (void *)pcb));
 
-#if LWIP_HTTPD_SUPPORT_POST
-  if (hs != NULL) {
-    if ((hs->post_content_len_left != 0)
-#if LWIP_HTTPD_POST_MANUAL_WND
-        || ((hs->no_auto_wnd != 0) && (hs->unrecved_bytes != 0))
-#endif /* LWIP_HTTPD_POST_MANUAL_WND */
-       ) {
-      /* make sure the post code knows that the connection is closed */
-      http_uri_buf[0] = 0;
-      httpd_post_finished(hs, http_uri_buf, LWIP_HTTPD_URI_BUF_LEN);
-    }
-  }
-#endif /* LWIP_HTTPD_SUPPORT_POST*/
-
+  http_state_close_post(hs);
 
   altcp_arg(pcb, NULL);
   altcp_recv(pcb, NULL);
@@ -2401,7 +2415,7 @@ http_init_file(struct http_state *hs, struct fs_file *file, int is_09, const cha
          search for the end of the header. */
       char *file_start = lwip_strnstr(hs->file, CRLF CRLF, hs->left);
       if (file_start != NULL) {
-        int diff = file_start + 4 - hs->file;
+        size_t diff = file_start + 4 - hs->file;
         hs->file += diff;
         hs->left -= (u32_t)diff;
       }