cURL / Mailing Lists / curl-library / Single Mail


invalid free after an http redirect to ftp

From: Michal Marek <>
Date: Fri, 12 Oct 2007 16:25:23 +0200


since 7.16.0, Curl_ftp_connect() calls Curl_ftp_disconnect() if there's
a data->reqdata.proto.ftp pointer from a previous connection. The
problem is, that it doesn't check whether it's actually a valid struct
FTP pointer (proto is a union). So if curl gets a HTTP 302 redirect to
an ftp url, Curl_ftp_disconnect() will operate on a struct HTTP pointer:

$ ./src/curl -Lv
* About to connect() to port 80 (#0)
* Trying connected
* Connected to ( port 80 (#0)
> GET /pub/find.gz HTTP/1.1
> User-Agent: curl/7.17.1-CVS (x86_64-suse-linux-gnu) libcurl/7.17.1-CVS
OpenSSL/0.9.8e zlib/1.2.3 libidn/1.0
> Host:
> Accept: */*
< HTTP/1.1 302 Found
< Date: Fri, 12 Oct 2007 14:14:57 GMT
< Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_perl/1.29
< Location:
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
* Ignoring the response-body
* Connection #0 to host left intact
* Issue another request to this URL: ''
* About to connect() to port 21 (#1)
* Trying connected
* Connected to ( port 21 (#1)
*** glibc detected *** /home/mmarek/curl/cvs/src/.libs/lt-curl: free():
invalid pointer: 0x00002aed47f2a529 ***

The invalid free turns out to be free(ftp->file) in freedirs(), but that
doesn't matter. The point is that a struct HTTP is confused with struct FTP.

I tried to fix it, but besides removing the Curl_ftp_disconnect() call,
making proto a struct or freeing proto.http in Curl_http_dome() I
couldn't come up with a solution that fixes the bug, doesn't leak memory
allocated for http and doesn't cause new problems / defficiencies. Ideas?

BTW this is the original ("downstream"? :)) bugreport I'm trying to fix:

Received on 2007-10-12