New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rare Windows crash due to potentially dangling data->state.mimepost
pointer
#12608
Comments
I don't believe the check is necessary and it can be cleared unconditionally. Does this fix the problem for you? diff --git a/lib/setopt.c b/lib/setopt.c
index 460cb32e7..e13432334 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -679,10 +679,11 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
data->set.httppost = va_arg(param, struct curl_httppost *);
data->set.method = HTTPREQ_POST_FORM;
data->set.opt_no_body = FALSE; /* this is implied */
Curl_mime_cleanpart(data->state.formp);
Curl_safefree(data->state.formp);
+ data->state.mimepost = NULL;
break;
#endif
#if !defined(CURL_DISABLE_AWS)
case CURLOPT_AWS_SIGV4:
@@ -986,10 +987,11 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
data->set.method = HTTPREQ_POST_MIME;
data->set.opt_no_body = FALSE; /* this is implied */
#ifndef CURL_DISABLE_FORM_API
Curl_mime_cleanpart(data->state.formp);
Curl_safefree(data->state.formp);
+ data->state.mimepost = NULL;
#endif
}
break;
case CURLOPT_MIME_OPTIONS: |
Based on my read of the code I think it should, but I can't really confirm directly. We've only seen this crash once, in one of our (many) nightly automation runs, which haven't had any issues like this since we first updated to curl 8.4.0 back in October. |
A precaution to avoid a possible dangling pointer left behind. Reported-by: Thomas Ferguson Fixes #12608
Ok, then let's hope this fixes it and move forward with this take. I made #12621. |
Thanks @bagder, 🤞 |
I did this
First time tracing through curl code and I'm unfamiliar with curl's workflow, so apologies in advanced if my analysis here is lacking or inaccurate.
From what I can tell, a somewhat recent change was made via 74b87a8, which added two new
formp
andmimepost
pointers toUrlState
. There appears to be a case where themimepost
pointer can be set toformp
, but left dangling afterformp
is freed and cleared.Crashing stack (bottom of stack w/ non-curl calls omitted for privacy):
data->state
content, showing nullformp
and (dangling?)mimepost
at time of crash:data->state.mimepost
content at time of crash, which appears to be in the midst of getting modified by something else at this point - content is incoherent:It's hard to 100% confirm from the crash dump, but I believe the following occurred:
CURLE_SSL_CONNECT_ERROR
in a previous operation using this easy curl handle).I believe we made it far enough for
formp
to get allocated inCurl_http_body
, and formimepost
to be assigned to:But hit network issues later on when doing the request that resulted in
data->state.rewindbeforesend
to be set to TRUE, potentially inCurl_retry_request
:This again uses
CURLOPT_HTTPPOST
, which frees and clearsdata->state.formp
(note thatdata->state.mimepost
is not cleared here):MSTATE_PROTOCONNECT
, thedata->state.rewindbeforesend
flag check passes, so rewind is attempted. It's not clear to me if this flag being set is carry over from the previous failed POST attempt or was set during a previousMSTATE
(e.g.,MSTATE_CONNECT
):readrewind
is initially primed to use&data->set.mimepost
, but has a conditional check that gets met to usedata->state.mimepost
instead:mime_part_rewind
uses the (presumably dangling) pointer, which at this point is being reused by something else, the various checks (including for non-nullseekfunc
) happen to pass as the memory the dangling pointer references is being modified:I expected the following
No crash.
Perhaps
data->state.mimepost
should be cleared when handlingCURLOPT_HTTPPOST
wheredata->state.formp
is freed/cleared, like so?curl/libcurl version
curl 8.4.0
operating system
Windows 10 x64, 21H2
The text was updated successfully, but these errors were encountered: