Invalid read / null pointer dereference in tool_create_output_file #4807

geeknik · 2020-01-11T00:33:35Z

I did this

Compiled curl git f147c6 with Clang and ASan.
./curl -q -K test0000.conf file:///dev/null

And then this happened

Warning: test0000.conf:1: warning:
Warning: '000000000000000000000000000000000000000000000000000000000000000000000
Warning: 0000000000000000000000000000000000000000000▒'▒r▒▒▒▒' is unknown
*SNIP*
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14960==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004b0 (pc 0x00000050c173 bp 0x7ffc01a5d450 sp 0x7ffc01a5d1f0 T0)
==14960==The signal is caused by a READ memory access.
==14960==Hint: address points to the zero page.
    #0 0x50c172 in tool_create_output_file /root/curl/build/src/../../src/tool_cb_wrt.c:41:13
    #1 0x54db90 in post_per_transfer /root/curl/build/src/../../src/tool_operate.c:383:24
    #2 0x54c76f in run_all_transfers /root/curl/build/src/../../src/tool_operate.c:2385:24
    #3 0x54a843 in operate /root/curl/build/src/../../src/tool_operate.c:2491:18
    #4 0x547b06 in main /root/curl/build/src/../../src/tool_main.c:314:14
    #5 0x7f80ff3f909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41e5e9 in _start (/root/curl/build/src/curl+0x41e5e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/curl/build/src/../../src/tool_cb_wrt.c:41:13 in tool_create_output_file

However, I expected the following

No crash.

curl/libcurl version

git f147c6

curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV
Release-Date: [unreleased]
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: AsynchDNS IPv6 Largefile UnixSockets

operating system

Ubuntu

test0000.conf base64

MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMPWV
EScO9apy9fXPwApVcgsqI0tGRkZGAAAAGKXv6jwKVXILLAAIpYIWCmTqCi06RAD/CgpkCgBABQoK
m/UKPGUcgP8K9Qr1+oD/ClVy9NUj/w71CgoK0PXqgiD1EGT19fUK9ej1CgqbBfX19fX19fX1GgDS
owpA/woKJC9AJ4AKVVALJSN2CQnv/w2bJw7m/+/2ABQKCgAKAAD1+oIg9RBk9fX1CvXo9QoKmwX1
9fX19fX19RoA0qOpJw4KanLGYhzt5CBlavXLKzQ0NDQKAGf1Ci1ab6YKnG/9+EGJ9gnP/w2b9wD/
CgoKZAoACugFW/X19fXhwAqT8gqS6iQbQCcOClVu9Cojdgn2z/9Nm/cAgAonDv/m/g3//wAEAADM
li0tmgYKCsyWKiOJ9fXPPApVcgsqI0tGRkBGRkYACKWCgP8K9Qr1+oD/CpigZ4iRE39k6An/a/3m
5eUaNwp4bBrr2nj1CkpMkw0f7+o8ClVyCyojS0ZGRkYAAAAYClVyC0YACKUjIyMRIwLi4B8WCmTq
Ci06RNoADQn17eT2/wD1CiJsW7QbNCs0NDQ0CgBn9QotWv7/wg0JIycnJwDSo/f1CgoKJC9AKfcK
VVAK9ej1gACbBfX1CgoaJC9AJ4AKVVAL6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6yOJ9fXPPw2bAPXgwIqpABDv6gAKLXIL6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vrFBQUFOvr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vrRYAACu/q
AApVcgsqI7S5RgX//xgACKWCgP8a6PX19fX19eHACpPyCpInJycnJycnJ9jY2NgnJycnJycnJycn
JycnJycnJyfY2CcnJycnJycnJycnJycnJycnJycnJycnJycnJycnJyf2mwoA9fqCIPUQZPX0dQr1
+vUKCvUpCgoK9fYDRUWAAP8ARQoKCgAAAEUKCgoAAACA9fUjCyr+5ycOZFVyCyojiS0w9hXP7A2b
9XgBJw4KVXILKiOJ9SAAPw2bAPX1FC14bH9IAAD79cUXZH56mkBtaWlseGwa6uUaGnf7CgotTGx4
bHdsGv8vLy0vL9AvLy8v9eHACpPyCpLqQArr0odsf0wAAJsK9db19fX11QMa6PX19fX19R4/9Wzy
CpLqJC9AJw4KVXILKv8KJw0nJycnJCcnJycnJycn2NjY2CcnJycnJycnJycnJycnJycnJycnJycn
JycnJycnJycnJycnJycnJycnJycnJychJycnJ/abCgD1+oIg9RBk9fR1CvX69QoK3CkKCgr19gNF
RYAA/wBFCgoKAAAARQoKCgAAAID19SMLKv7nJw5kVXILKiOJLTD19c/sDZv1eAEnDgpVcgsqI4n1
IAA/DZsA9fUULXhsf0wAAAQKxRdkfnqaQG1paWx4bBrq5Road/sKCi1MbERsd2wa/y8vLS8v0C8v
Ly8vLy8vLy8vLy8vLy8vLy8vDZv3kv8KJw4KVXILKvX19fX19eHACpPyCpLqJC9AJw4KVXILKv8K
Jw31VWkLKiOJLTAKCjATDZv1eAETDgpVcgsuI4n19c8/DZsA9eDAiqkAEO/qAAotcgsqI0tGRij/
5QUACKWCgP8KBQrgA/abCgD1+oIg9RBk9fR1CvX69QoK9SOJ9f8A/w2b9X///0pFksN9CgoK9vX1
9dYKAP///GQOClVyIGUKL0AnDgpVcgsl3Hb2Cc//DZv3AP8AJw4KVXLTEyNkDg3VciAqo4n1CjD/
DZv3fy3/SkUA7z8hG/WYfwBkCh/8CWQKABD/kSaOClVyCwokL0AnDgpKcvAkDIn2Cdr/Dlv3AP8K
Jw71VXILKiOJLWNjAWNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2MNFe/qJApVaQsqI0tGRkZG
KEYACKWCgIfPCgBkDgpVciBl9NAKf+N9HO3oZQ8iFID/z8/oApJkAMrTEyP1/to=

The text was updated successfully, but these errors were encountered:

bagder · 2020-01-11T21:43:36Z

Reproduced.

As it was just unnecessary duplicated information already stored in the 'per_transfer' struct and that's around mostly anyway. The duplicated pointer caused problems when the code flow was aborted before the dupe was filled in and could cause a NULL pointer access. Reported-by: Brian Carpenter Fixes #4807

bagder added cmdline tool crash labels Jan 11, 2020

bagder self-assigned this Jan 11, 2020

bagder mentioned this issue Jan 11, 2020

curl: remove 'config' field from OutStruct #4810

Closed

bagder closed this as completed in ad0aa27 Jan 12, 2020

lock bot locked as resolved and limited conversation to collaborators Apr 15, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid read / null pointer dereference in tool_create_output_file #4807

Invalid read / null pointer dereference in tool_create_output_file #4807

geeknik commented Jan 11, 2020

bagder commented Jan 11, 2020

Invalid read / null pointer dereference in tool_create_output_file #4807

Invalid read / null pointer dereference in tool_create_output_file #4807

Comments

geeknik commented Jan 11, 2020

I did this

And then this happened

However, I expected the following

curl/libcurl version

operating system

test0000.conf base64

bagder commented Jan 11, 2020