cURL / Mailing Lists / curl-library / Single Mail

curl-library

invalid free after an http redirect to ftp

From: Michal Marek <mmarek_at_suse.cz>
Date: Fri, 12 Oct 2007 16:25:23 +0200

Hi,

since 7.16.0, Curl_ftp_connect() calls Curl_ftp_disconnect() if there's
a data->reqdata.proto.ftp pointer from a previous connection. The
problem is, that it doesn't check whether it's actually a valid struct
FTP pointer (proto is a union). So if curl gets a HTTP 302 redirect to
an ftp url, Curl_ftp_disconnect() will operate on a struct HTTP pointer:

$ ./src/curl -Lv http://ftp.uninett.no/pub/find.gz
* About to connect() to ftp.uninett.no port 80 (#0)
* Trying 158.36.2.10... connected
* Connected to ftp.uninett.no (158.36.2.10) port 80 (#0)
> GET /pub/find.gz HTTP/1.1
> User-Agent: curl/7.17.1-CVS (x86_64-suse-linux-gnu) libcurl/7.17.1-CVS
OpenSSL/0.9.8e zlib/1.2.3 libidn/1.0
> Host: ftp.uninett.no
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Fri, 12 Oct 2007 14:14:57 GMT
< Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_perl/1.29
< Location: ftp://ftp.uninett.no/pub/find.gz
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host ftp.uninett.no left intact
* Issue another request to this URL: 'ftp://ftp.uninett.no/pub/find.gz'
* About to connect() to ftp.uninett.no port 21 (#1)
* Trying 158.36.2.10... connected
* Connected to ftp.uninett.no (158.36.2.10) port 21 (#1)
*** glibc detected *** /home/mmarek/curl/cvs/src/.libs/lt-curl: free():
invalid pointer: 0x00002aed47f2a529 ***

The invalid free turns out to be free(ftp->file) in freedirs(), but that
doesn't matter. The point is that a struct HTTP is confused with struct FTP.

I tried to fix it, but besides removing the Curl_ftp_disconnect() call,
making proto a struct or freeing proto.http in Curl_http_dome() I
couldn't come up with a solution that fixes the bug, doesn't leak memory
allocated for http and doesn't cause new problems / defficiencies. Ideas?

BTW this is the original ("downstream"? :)) bugreport I'm trying to fix:
https://bugzilla.novell.com/show_bug.cgi?id=332917

Michal
Received on 2007-10-12