Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl_exec segmentation fault when using CURLOPT_PROXY - ? invalid free() ? #7236

Closed
PhilETaylor opened this issue Jun 10, 2021 · 8 comments
Closed

curl_exec segmentation fault when using CURLOPT_PROXY - ? invalid free() ? #7236

PhilETaylor opened this issue Jun 10, 2021 · 8 comments

Comments

@PhilETaylor
Copy link

Cross Posting from downstream: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12733

This documents my Segmentation fault as requested here https://twitter.com/n_copa/status/1401971352073084928

My set up is docker containers. In development this is on an Intel Mac, in Production this is on a Digital Ocean server.

I was able to isolate and replicate the issue away from my production application (mySites.guru)

to replicate I started php:alpine3.13

docker run -it --rm php:alpine3.13 sh

out of the box this has:

PHP 8.0.7 (cli) (built: Jun  4 2021 19:02:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.7, Copyright (c) Zend Technologies

curl 7.76.1 (x86_64-alpine-linux-musl) libcurl/7.77.0 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 nghttp2/1.42.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
WARNING: curl and libcurl versions do not match. Functionality may be affected.

My exact test case, with redacted domains/proxy is below, the problem can be replicated with php script:

<?php

$ch = curl_init();

// replace a.working.proxy:8888 with a Nginx Forward Proxy
curl_setopt($ch, CURLOPT_PROXY, 'a.working.proxy:8888');

// replace https://a.site.that.has.blocked.your.proxies.ip/ with a site that you know has your Proxy's IP address blocked in their firewall. 
curl_setopt($ch, CURLOPT_URL, 'https://a.site.that.has.blocked.your.proxies.ip/');

curl_setopt($ch, CURLOPT_TIMEOUT, 2);
$res = curl_exec($ch);
print_r($res);

Then run as php test.php

/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault

In writing up these notes, I wanted to provide code that you could just run, so I took a proxy from https://spys.one/en/free-proxy-list/ and added it to the code, and used https://alpinelinux.org as the domain name, as there is no IP blocking of this exact proxy by https://alpinelinux.org - this is ruling out my initial theory and leads me to believe this seems to be an issue when using CURLOPT_PROXY to be sure. Your mileage might vary, I dont control these proxies and their responses.

<?php
error_reporting(E_ALL);
ini_set('display_errors',1);

$ch = curl_init();
curl_setopt($ch, CURLOPT_PROXY, '70.169.141.35:3128');
curl_setopt($ch, CURLOPT_URL, 'https://alpinelinux.org');
curl_setopt($ch, CURLOPT_TIMEOUT, 2);
$res = curl_exec($ch);
print_r($res);exit;

When run I get:

/ # nano test.php
/ # php test.php
/ # php test.php
/ # php test.php
/ # php test.php
/ # php test.php
/ # nano test.php
/ # php test.php
/ # php test.php
/ # php test.php
Segmentation fault
/ # php test.php
/ # php test.php
/ # php test.php
/ # php test.php
/ # php test.php
Segmentation fault
/ # php test.php
Segmentation fault
/ # php test.php
/ # php test.php
/ # php test.php
Segmentation fault

As soon as you remove the curl_setopt($ch, CURLOPT_PROXY, '70.169.141.35:3128'); line EVERYTHING works fast and as normal, and NEVER seg faults... unfortunatly my use case needs to route every request through a forward proxy :)

I also tried with an upgraded Curl - apk upgrade gave:

# apk upgrade curl
(1/1) Upgrading curl (7.76.1-r0 -> 7.77.0-r0)
Executing busybox-1.32.1-r6.trigger
OK: 20 MiB in 34 packages

# curl -V

curl 7.77.0 (x86_64-alpine-linux-musl) libcurl/7.77.0 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 nghttp2/1.42.0
Release-Date: 2021-05-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

/ # nano test.php
/ # php test.php
/ # php test.php
Segmentation fault
/ # php test.php
/ # php test.php
Segmentation fault
/ # php test.php
/ # php test.php
Segmentation fault
/ # php test.php
@PhilETaylor
Copy link
Author

Some debugging has been done by Natanael Copa https://gitlab.alpinelinux.org/alpine/aports/-/issues/12733#note_162131 that might be helpful to determine if this is a Curl or PHP issue...

bagder added a commit that referenced this issue Jun 10, 2021
@bagder
conn_shutdown: if closed during CONNECT cleanup properly
b74fc8c 
Reported-by: Alex Xu
Reported-by: Phil E. Taylor

Fixes #7236
@bagder bagder mentioned this issue Jun 10, 2021
Closed
@bagder
Copy link
Member

bagder commented Jun 10, 2021

Try #7237, I think it might fix the problem.

@PhilETaylor
Copy link
Author

I'm only a PHP type developer so would not know how to compile and test your change, sorry. The other guys over at Alpine Linux might though, I'll cross post it there.

@ncopa
Copy link
Contributor

ncopa commented Jun 11, 2021

Try #7237, I think it might fix the problem.

It does fix the problem. I was not able to reproduce the issue with #7237 applied (~500 tries)

bagder added a commit that referenced this issue Jun 11, 2021
@bagder
conn_shutdown: if closed during CONNECT cleanup properly
7d0d245 
Reported-by: Alex Xu
Reported-by: Phil E. Taylor

Fixes #7236
@bagder bagder closed this as completed in 14a2ca8 Jun 11, 2021
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jun 11, 2021
@ncopa
main/curl: backport fix for curl segfault with proxy
6c7f332 
upstream report curl/curl#7236

ref #12733
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jun 11, 2021
@ncopa
main/curl: backport fix for curl segfault with proxy
1274644 
upstream report curl/curl#7236

fixes #12733

(cherry picked from commit 6c7f332)
@PhilETaylor
Copy link
Author

5 hours to fix here... I love working with developers that take code seriously and provide timely fixes. You guys are awesome!

Drop an email to phil@phil-taylor.com for some serious beer/coffee money as a thank you.

@bagder bagder mentioned this issue Jun 21, 2021
Closed
@hideme4u
Copy link

Hi @bagder / @jay When can we expect a new release for this fix?

@jzakrzewski
Copy link
Contributor

Here's the release schedule: https://curl.se/dev/release-procedure.html#coming-dates

So 21st of July 2021 is the next release.

@hideme4u
Copy link

@jzakrzewski Thank you for the update !!

@sergio-nsk sergio-nsk mentioned this issue Jun 23, 2021
Closed
@bagder bagder mentioned this issue Jul 19, 2021
Closed
@bagder bagder mentioned this issue Aug 19, 2021
Closed
This was referenced Nov 10, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

conn_shutdown: if closed during CONNECT cleanup properly curl/curl
5 participants
@ncopa @bagder @PhilETaylor @jzakrzewski @hideme4u