Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Double free after curl_easy_pause

From: Richard Bowker via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 5 Nov 2019 02:26:22 -0800

We are in the process of upgrading an existing application from curl 7.51.0 and have discovered a double free issue, we are not sure if this is an unintentional consequence of a curl change, or just that we have been handling this wrong all along.

Some background; we have a socket callback function that contains the following code (the intention is to ensure we correctly handle transfers left if we are paused when the socket closes). It is being invoked from curl_multi_closed when we see the issue.

```
 if (what == CURL_POLL_REMOVE) {
     http::Transfer *t;
     curl_easy_getinfo(e, CURLINFO_PRIVATE, &t);
     assert(t);
     if (!t->finished) {
         // Make sure paused transfers complete
         curl_easy_pause(e, CURLPAUSE_CONT);
     }
     ...
```

This has apparently been working fine for several years, however the following change causes us a problem https://github.com/curl/curl/commit/26d3d2384b1aa336f7a2634c3c3068a46a8cfa52

The addition of the call to Curl_updatesocket(data) in curl_easy_pause results in Curl_hash_destroy being triggered, but immediately after the socket callback completes we hit this line:

  https://github.com/curl/curl/blob/26d3d2384b1aa336f7a2634c3c3068a46a8cf
a52/lib/multi.c#L2455

which also results in a call to Curl_hash_destroy and we see a double free. So, should we be doing this differently? or was this an unexpected side effect of the change?

thank you

Rich
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-05