Bugs item #3594381, was opened at 2012-12-09 19:16
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3594381&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: crash
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Con Kolivas (ckolivas)
Assigned to: Daniel Stenberg (bagder)
Summary: curl_easy_recv() ends in crash within Curl_recv_plain
Initial Comment:
In the cgminer project ( https://github.com/ckolivas/cgminer ) I am using libcurl version 7.28.1 compiled for mingw32 and using curl easy recv on the raw socket returned. Dropping internet connection on windows* with this compiled version I get a reproducible crash on the following line:
sendf.c:353
failf(conn->data, "Recv failure: %s", Curl_strerror(conn, err));
Debugging is disabled in the build, but this line reliably crashes on mingw32. Commenting out the line entirely the crash goes away. This can be reproduced without dropping internet connection on windows by killing the tcp connection with currports. I don't know the exact mechanism of the crash without digging further but I suspect conn->data is dereferenced.
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Date: 2012-12-11 02:47
Message:
Thanks, but that can't be the end of the story.
The snprintf() function you see used, is an internal function in libcurl
called curl_msnprintf() in lib/mprint.c and you can continue down into that
function to find the actual place it crashes.
And still, snprintf() is used in NUMEROUS places within libcurl on a large
amount of different platforms. Why would mingw32 have a problem with this
particular call?
----------------------------------------------------------------------
Comment By: Con Kolivas (ckolivas)
Date: 2012-12-11 02:14
Message:
I poked around a bit further and found the exact line responsible
sendf.c: 170
snprintf(data->set.errorbuffer, CURL_ERROR_SIZE, "%s",
data->state.buffer);
If I printf data->state.buffer to stdout it is a valid string, and
data->set.errorbuffer points to an address, but writing to
data->set.errorbuffer crashes.
Note this usually happens the second time the tcp connection is reset, with
a reused curl handle. This happens regardless of whether debugging is built
into libcurl or not, or whether CURLOPT_VERBOSE is enabled or not. It does
NOT happen on linux, only mingw32.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2012-12-10 00:58
Message:
Can you help us and produce a smallish stand-alone program that can repeat
the problem? In the case of the failure, can you use a debugger/printf and
see what 'conn' and 'data' point to at the time of the problem?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3594381&group_id=976
Received on 2012-12-11