curl and libcurl

Tracker: Bugs

6 multi + OpenSSL use after free - memory - ID: 2905220

Last Update: Settings changed ( sf-robot )

Details:

curl_multi_cleanup calls curl_rm_connc eventually which calls conn_free which calls Curl_ossl_close which calls ssl3_shutdown.

ssl3_shutdown fails to send an alert packet (e.g. because the conn timed out) and then logs a message. This calls back into curl ssl_tls_trace. It tries
to use conn->data. But conn->data points to some long gone easy handle (I think). Use after free.

Index: url.c
===================================================================
--- url.c (revision 33084)
+++ url.c (working copy)
@@ -2825,6 +2825,7 @@
ConnectionDone(struct connectdata *conn)
{
conn->inuse = FALSE;
+ conn->data = NULL;
}

/*

Submitted:

Constantine Sapuntzakis ( csapuntz ) - 2009-11-28 04:51:15 UTC

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Daniel Stenberg

Category:

SSL/TLS

Group:

crash

Visibility:

Public

Comments ( 9 )

Date: 2009-12-25 02:20:18 UTC Sender: sf-robot This Tracker item was closed automatically by the system. It was previously set to a Pending status, and the original submitter did not respond within 14 days (the time period specified by the administrator of this Tracker).
Date: 2009-12-10 20:25:00 UTC Sender: bagder Thanks for the report, this problem is now fixed in CVS!
Date: 2009-12-08 23:03:16 UTC Sender: bagder Thank you. I can repeat the crash now...
Date: 2009-12-08 19:43:30 UTC Sender: csapuntz Attached a new version with instructions to set up server with stunnel. Will probably need to delete the line "import ssl" in httpd.py to have it work.
Date: 2009-12-08 19:03:48 UTC Sender: bagder $ python httpd.py --ssl=localhost.pem Traceback (most recent call last): File "httpd.py", line 12, in <module> import ssl What particular package might that be from?
Date: 2009-11-30 03:03:57 UTC Sender: csapuntz Added example to the bug.
Date: 2009-11-29 19:09:36 UTC Sender: bagder Can you provide an example that repeats this problem?
Date: 2009-11-28 05:41:37 UTC Sender: csapuntz More conservative diff. Index: url.c =================================================================== --- url.c (revision 33154) +++ url.c (working copy) @@ -2300,6 +2300,10 @@ if(!conn) return; + /* Curl_ssl_close may lead to ssl_tls_trace being called. Make sure that function + doesn't use an old easy handle that's been freed. */ + conn->data = NULL; + Curl_ssl_close(conn, FIRSTSOCKET); Curl_ssl_close(conn, SECONDARYSOCKET);
Date: 2009-11-28 05:20:03 UTC Sender: csapuntz Hmm... this causes a bunch of FTP tests to fail because QUIT Is no longer issued.

Attached File ( 1 )

Filename	Description	Download
curl-2905220-2.tar.gz	Repro w/stunnel	Download

Changes ( 10 )

Field	Old Value	Date	By
status_id	Pending	2009-12-25 02:20:19 UTC	sf-robot
close_date	2009-12-10 20:25	2009-12-25 02:20:19 UTC	sf-robot
allow_comments	1	2009-12-25 02:20:19 UTC	sf-robot
resolution_id	None	2009-12-10 20:25:00 UTC	bagder
status_id	Open	2009-12-10 20:25:00 UTC	bagder
close_date	-	2009-12-10 20:25:00 UTC	bagder
File Added	354406: curl-2905220-2.tar.gz	2009-12-08 19:41:06 UTC	csapuntz
File Deleted	353076:	2009-12-08 19:39:59 UTC	csapuntz
File Added	353076: curl-2905220.tar.gz	2009-11-30 03:03:34 UTC	csapuntz
priority	5	2009-11-29 19:09:37 UTC	bagder

curl and libcurl

Tracker: Bugs

Comments ( 9 )

Attached File ( 1 )

Changes ( 10 )

About SourceForge

Find Software

Develop Software

Community

Help