cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-1896698 ] NULL pointer dereferenced in Curl_done()

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Mon, 18 Feb 2008 23:17:57 -0800

Bugs item #1896698, was opened at 2008-02-19 10:16
Message generated for change (Settings changed) made by zmey_
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1896698&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: crash
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Zmey (zmey_)
Assigned to: Daniel Stenberg (bagder)
>Summary: NULL pointer dereferenced in Curl_done()

Initial Comment:
The problem appears both in libcurl 7.16.4 and 7.18.0 (latest to date).
Application crashes when traversing an FTP site (which is simply a series of FTP LIST commands). The crash is at the beginning of Curl_done() when it is called with connection pointer equal to NULL:

file url.c:
CURLcode Curl_done(struct connectdata **connp, /* 'connp' points to NULL */
                   CURLcode status,
                   bool premature)
{
  CURLcode result;
  struct connectdata *conn = *connp; /* assigning NULL to 'conn' */
  struct SessionHandle *data = conn->data; /* dereferencing... Oops! */

...

Curl_done() is called from Curl_perform():

file transfer.c:

CURLcode Curl_perform(struct SessionHandle *data)
{
...
  do {
    res = connect_host(data, &conn); /* primary connection */
    if(res == CURLE_OK) {
...
      /* !!! note: this may nullify the connection! */
      res = Curl_do(&conn, &do_done);

      if(res == CURLE_OK) {
...
/* long and ugly-looking sequence of nested if()'s */
...
      }
      else /* !!! note: Curl_do() returned failure, 'conn' may be NULL */
        /* Curl_do() failed, clean up left-overs in the done-call */
        res2 = Curl_done(&conn, res, FALSE); /* oops... */

Proposed solution:
Check for NULL connection at the beginning of Curl_done():

file url.c:

CURLcode Curl_done(struct connectdata **connp,
                   CURLcode status,
                   bool premature)
{
  CURLcode result;
  struct connectdata *conn = *connp;
  struct SessionHandle *data;

  if(conn == NULL)
     return CURLE_OK; /* or some error code */

  data = conn->data; /* safe to dereference */

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1896698&group_id=976
Received on 2008-02-19

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET