cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2868910 ] dangling pointer on reused ssl connections

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Mon, 28 Sep 2009 16:53:00 +0000

Bugs item #2868910, was opened at 2009-09-28 16:07
Message generated for change (Comment added) made by tomekbury
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2868910&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: crash
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Tomek Bury (tomekbury)
Assigned to: Daniel Stenberg (bagder)
Summary: dangling pointer on reused ssl connections

Initial Comment:
When libCurl reuses existing SSL/TLS connection it doesn't call ssl ctx function set by CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA. Instead it blindly reuses ssl context modified by whichever easy request was using it previously.

As result, example code using ssl ctx callback to call SSL_CTX_set_cert_verify_callback (as per curlx.c example) may lead to use of dangling pointer.

Scenario:

1. easy reqest 1 sets CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA, data points to request's data.
2. easy_perform called on reqest 1 triggers ssl ctx function, which in turn calls SSL_CTX_set_cert_verify_callback
3. later on verify callback fires and uses request's data.
4. request 1 completes, request's data is deleted

so far so good...

5. easy reqest 1 sets CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA, data points to 2nd request's data.
6. easy_perform called on request 2 does NOT triggers ssl ctx function
7. later on verify callback fires and uses the 1st request's data but now it's a dangling pointer- .
8. memory corruption

----------------------------------------------------------------------

>Comment By: Tomek Bury (tomekbury)
Date: 2009-09-28 17:52

Message:
I made a typo:

5. easy request 1 - should be request 2, not 1.

The whole point is that changes made to ssl context by one easy handle are
silently reused by different, unrelated easy handle.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2868910&group_id=976
Received on 2009-09-28

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET