cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2905220 ] multi + OpenSSL use after free - memory

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Sat, 28 Nov 2009 05:41:37 +0000

Bugs item #2905220, was opened at 2009-11-27 20:51
Message generated for change (Comment added) made by csapuntz
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: crash
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Constantine Sapuntzakis (csapuntz)
Assigned to: Daniel Stenberg (bagder)
Summary: multi + OpenSSL use after free - memory

Initial Comment:
curl_multi_cleanup calls curl_rm_connc eventually which calls conn_free which calls Curl_ossl_close which calls ssl3_shutdown.

ssl3_shutdown fails to send an alert packet (e.g. because the conn timed out) and then logs a message. This calls back into curl ssl_tls_trace. It tries
to use conn->data. But conn->data points to some long gone easy handle (I think). Use after free.

Index: url.c
===================================================================
--- url.c (revision 33084)
+++ url.c (working copy)
@@ -2825,6 +2825,7 @@
 ConnectionDone(struct connectdata *conn)
 {
   conn->inuse = FALSE;
+ conn->data = NULL;
 }
 
 /*

----------------------------------------------------------------------

>Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-27 21:41

Message:
More conservative diff.

Index: url.c
===================================================================
--- url.c (revision 33154)
+++ url.c (working copy)
@@ -2300,6 +2300,10 @@
   if(!conn)
     return;

+ /* Curl_ssl_close may lead to ssl_tls_trace being called. Make sure
that function
+ doesn't use an old easy handle that's been freed. */
+ conn->data = NULL;
+
   Curl_ssl_close(conn, FIRSTSOCKET);
   Curl_ssl_close(conn, SECONDARYSOCKET);

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-27 21:20

Message:
Hmm... this causes a bunch of FTP tests to fail because QUIT Is no longer
issued.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976
Received on 2009-11-28

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET