Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer dereference in in Curl_thread_join() #3850

Closed
geeknik opened this issue May 7, 2019 · 2 comments
Closed

null pointer dereference in in Curl_thread_join() #3850

geeknik opened this issue May 7, 2019 · 2 comments

Comments

@geeknik
Copy link

geeknik commented May 7, 2019

I did this

echo "VVI6MAotOgppbnQ6MApkTzowClVSOjA=" | base64 -d | tee test0000.curl

./curl -q -K test0000.curl https://twitter.com/geeknik

I expected the following

No crash.

But this happened instead

#0 0x6242c1 in Curl_thread_join /root/curl/lib/curl_threads.c:93:28
#1 0x53d6c7 in thread_wait_resolv /root/curl/lib/asyn-thread.c:475:6
#2 0x53d6c7 in Curl_resolver_wait_resolv /root/curl/lib/asyn-thread.c:533
#3 0x51a99b in bindlocal /root/curl/lib/connect.c:362:15
#4 0x51a99b in singleipconnect /root/curl/lib/connect.c:1071
#5 0x51956a in Curl_connecthost /root/curl/lib/connect.c:1211:14
#6 0x5c533c in Curl_setup_conn /root/curl/lib/url.c:4019:14
#7 0x5c5ad8 in Curl_connect /root/curl/lib/url.c:4062:16
#8 0x527b87 in multi_runsingle /root/curl/lib/multi.c:1356:16
#9 0x5257d2 in curl_multi_perform /root/curl/lib/multi.c:2065:14
#10 0x513a9b in easy_transfer /root/curl/lib/easy.c:624:15
#11 0x513a9b in easy_perform /root/curl/lib/easy.c:718
#12 0x513a9b in curl_easy_perform /root/curl/lib/easy.c:737
#13 0x4f72b3 in operate_do /root/curl/src/tool_operate.c:1592:20
#14 0x4eb08c in operate /root/curl/src/tool_operate.c:2095:20
#15 0x4e9ec7 in main /root/curl/src/tool_main.c:326:14
#16 0x7fac899972e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#17 0x423f09 in _start (/root/curl/src/curl+0x423f09)

curl/libcurl version

Git commit 139202b

curl 7.65.0-DEV (x86_64-pc-linux-gnu) libcurl/7.65.0-DEV OpenSSL/1.1.0j zlib/1.2.8
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

operating system

Debian 9.x x64

@jay
Copy link
Member

jay commented May 9, 2019

echo "VVI6MAotOgppbnQ6MApkTzowClVSOjA=" | base64 -d | tee test0000.curl

UR:0
-:
int:0
dO:0
UR:0

How'd you come up with that data? I can't reproduce in Windows 7 (native or cygwin) but in Ubuntu:

lt-curl: asyn-thread.c:471: thread_wait_resolv: Assertion `conn && td' failed.
Aborted

I'm still not entirely sure what that config is doing yet. It looks like it's using DoH but I don't know why since that option isn't specified. I can get the same assertion with just this and no url:

int:0
dO:0
UR:0

@bagder
Copy link
Member

bagder commented May 9, 2019

How'd you come up with that data?

I presume fuzzing was involved.

bagder added a commit that referenced this issue May 9, 2019
Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Fixes #3850
@bagder bagder closed this as completed in 12d655d May 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

Successfully merging a pull request may close this issue.

3 participants