curl-library
Re: abort trap: double-free bug in lib/ssluse.c:Curl_ossl_close() ???
Date: Thu, 19 Apr 2007 14:22:47 +0000 (GMT)
DS> Date: Thu, 19 Apr 2007 09:33:45 +0200 (CEST)
DS> From: Daniel Stenberg
DS> > I've found that OpenSSL also is internally detecting a divide-by-zero
DS> > error
DS>
DS> When?
When ssluse.c:Curl_ossl_step2() invokes SSL_connect(connssl->handle).
In 7.15.5, the failf() call at ssluse.c:1458 is what catches the ossl
failure.
DS> > which causes libcurl to [attempt to] clean up, which is when the
DS> > double-free trap occurs.
DS>
DS> So this is then an OpenSSL bug rather than a libcurl one?
I'm tempted to conclude that's the case; even if the root cause is in
PHP or libcurl, I don't see why ossl is hitting a div-by-zero. (Of
course, I'm now elbow-deep in the source of three programs which I've
never before spent much time exploring... so my identification accuracy
certainly isn't 100%.)
FWIW,
curl_setopt($ch, CURLOPT_SSLVERSION, $something) ;
in PHP can reliably set the behavior to any of:
* a trap before any HTTPS response
* a trap after pulling some of the headers
* SIGSEGV
* alternating SIGBUS and SIGILL
depending entirely on PHP version and value of $something. I probably
should whip up a contrived C-based libcurl test based on what PHP is
setting.
I suppose it could be also libc-related. *shrug* I just need to keep
unraveling this mess...
At any rate:
If I find something that looks libcurl-related, I'll post again.
Unless that happens, I wanted to close the thread on a "doesn't look
like a libcurl problem after all" note.
Thanks again,
Eddy
-- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc_at_brics.com -*- jfconmaapaq_at_intc.net -*- sam_at_everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.Received on 2007-04-19