Bugs item #2905220, was opened at 2009-11-28 04:51
Message generated for change (Settings changed) made by sf-robot
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: crash
>Status: Closed
Resolution: Fixed
Priority: 6
Private: No
Submitted By: Constantine Sapuntzakis (csapuntz)
Assigned to: Daniel Stenberg (bagder)
Summary: multi + OpenSSL use after free - memory

Initial Comment:
curl_multi_cleanup calls curl_rm_connc eventually which calls conn_free which calls Curl_ossl_close which calls ssl3_shutdown.

ssl3_shutdown fails to send an alert packet (e.g. because the conn timed out) and then logs a message. This calls back into curl ssl_tls_trace. It tries
to use conn->data. But conn->data points to some long gone easy handle (I think). Use after free.

Index: url.c
===================================================================
--- url.c (revision 33084)
+++ url.c (working copy)
@@ -2825,6 +2825,7 @@
 ConnectionDone(struct connectdata *conn)
 {
   conn->inuse = FALSE;
+ conn->data = NULL;
 }
 
 /*

----------------------------------------------------------------------

>Comment By: SourceForge Robot (sf-robot)
Date: 2009-12-25 02:20

Message:
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-12-10 20:25

Message:
Thanks for the report, this problem is now fixed in CVS!

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-12-08 23:03

Message:
Thank you. I can repeat the crash now...

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-12-08 19:43

Message:
Attached a new version with instructions to set up server with stunnel.
Will probably need to delete the line "import ssl" in httpd.py to have it
work.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-12-08 19:03

Message:
$ python httpd.py --ssl=localhost.pem
Traceback (most recent call last):
  File "httpd.py", line 12, in <module>
    import ssl

What particular package might that be from?

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-30 03:03

Message:
Added example to the bug.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-11-29 19:09

Message:
Can you provide an example that repeats this problem?

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-28 05:41

Message:
More conservative diff.

Index: url.c
===================================================================
--- url.c (revision 33154)
+++ url.c (working copy)
@@ -2300,6 +2300,10 @@
   if(!conn)
     return;

+ /* Curl_ssl_close may lead to ssl_tls_trace being called. Make sure
that function
+ doesn't use an old easy handle that's been freed. */
+ conn->data = NULL;
+
   Curl_ssl_close(conn, FIRSTSOCKET);
   Curl_ssl_close(conn, SECONDARYSOCKET);

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-28 05:20

Message:
Hmm... this causes a bunch of FTP tests to fail because QUIT Is no longer
issued.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976
Received on 2009-12-25