curl-library
NULL dereference in Curl_done
Date: Wed, 6 Mar 2013 20:13:57 +0000
Hello,
I think I'm seeing an issue almost identical to bug tracker item #729, only this time in multi_runsingle(). In CURLM_STATE_DO, Curl_do() gets called and it might set easy->easy_conn to NULL via Curl_connect(). This could fall through to calling Curl_done(), which will try to dereference easy->easy_conn and segfault. The fix for #729 was the following:
--- lib/transfer.c 20 Feb 2008 08:28:02 -0000 1.383
+++ lib/transfer.c 21 Feb 2008 12:17:30 -0000
@@ -2389,7 +2389,7 @@
if(CURLE_OK == res)
res = res2;
}
- else
+ else if(conn)
/* Curl_do() failed, clean up left-overs in the done-call */
res2 = Curl_done(&conn, res, FALSE);
I think something similar in multi_runsingle() would do the trick. Though I'm not quite sure if the Curl_posttransfer() call there is still needed, so perhaps the conditional should go inside the else.
Eric
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-06