mirror of
https://github.com/pi-hole/FTL.git
synced 2026-06-30 03:45:38 +01:00
Dominik
6fc8deed01
pi_hole_extra_headers is a global char[1024] buffer written by API handlers and read/cleared by civetweb's send_additional_header(), but civetweb runs up to 50 worker threads concurrently. When multiple threads handle authenticated requests in parallel, one thread can overwrite or clear another's header data, causing wrong Set-Cookie headers to be sent to wrong clients or cookies to be dropped entirely. Make pi_hole_extra_headers _Thread_local so each worker thread gets its own buffer. This is safe because civetweb handles each request entirely within a single thread. The auth_data session array has a similar race: concurrent threads read/modify sessions without synchronization. Add a pthread mutex protecting all auth_data access, using AUTOLOCK/AUTOUNLOCK macros based on __attribute__((cleanup)) for RAII-style auto-unlock — ensuring the mutex is released on every exit path, including hidden returns inside JSON macros that do `return 500` on allocation failure. Change api->session from a pointer into auth_data to an embedded struct copy so downstream API handlers read from a per-request snapshot rather than shared state. Use JSON_COPY_STR_TO_OBJECT for auth_data strings so the JSON tree owns its own copies after the lock is released. Fixes: #2824 Signed-off-by: Dominik <dl6er@dl6er.de>