cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl_easy_perform crash in Curl_do after Curl_reconnect_request has been called

From: Ho-chi Chen <junkleo_at_yahoo.com>
Date: Wed, 26 Sep 2012 08:57:28 -0700 (PDT)

Sorry I ddn't make it clear. Yes, it crashed in curl_easy_perform() because of the same reason.
 
The previous fix is good if the return error is CURLE_OK or CURLE_SEND_ERROR but when I use debugger to walk throught and try to simulate the failure by forcing it to call Curl_reconnect_request() from Curl_do(), Curl_done() returned
CURLE_GOT_NOTHING and free the memory for conn, which is the same memory for *connp got freed but *connp is not set to NULL and crash later in:
static CURLcode Curl_do_perform(struct SessionHandle *data)
{
...
    if(res == CURLE_OK) {
...
// returned CURLE_GOT_NOTHING, conn got freed but not set to NULL
      res = Curl_do(&conn, &do_done);
...
      if(res == CURLE_OK) {
...
      }
      else if(conn)
...
// crash inside since conn has no valid memory
        (void)Curl_done(&conn, res, FALSE);

This may not be a valid test case, just I am not sure that we will never hit the condition that Curl_done() returns different errors. From the aspect of programming, since the memory is freed from Curl_done() in Curl_reconnect_request(), we should set it to NULL to avoid further access.

Thanks,

Ho-chi Chen

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-09-26