Menu
▾
▴
#883 multi + OpenSSL use after free - memory
curl_multi_cleanup calls curl_rm_connc eventually which calls conn_free which calls Curl_ossl_close which calls ssl3_shutdown.
ssl3_shutdown fails to send an alert packet (e.g. because the conn timed out) and then logs a message. This calls back into curl ssl_tls_trace. It tries
to use conn->data. But conn->data points to some long gone easy handle (I think). Use after free.
Index: url.c
--- url.c (revision 33084)
+++ url.c (working copy)
@@ -2825,6 +2825,7 @@
ConnectionDone(struct connectdata *conn)
{
conn->inuse = FALSE;
+ conn->data = NULL;
}
/*
Hmm... this causes a bunch of FTP tests to fail because QUIT Is no longer issued.
More conservative diff.
Index: url.c
--- url.c (revision 33154)
+++ url.c (working copy)
@@ -2300,6 +2300,10 @@
if(!conn)
return;
+ /* Curl_ssl_close may lead to ssl_tls_trace being called. Make sure that function
+ doesn't use an old easy handle that's been freed. */
+ conn->data = NULL;
+
Curl_ssl_close(conn, FIRSTSOCKET);
Curl_ssl_close(conn, SECONDARYSOCKET);
Can you provide an example that repeats this problem?
Added example to the bug.
$ python httpd.py --ssl=localhost.pem
Traceback (most recent call last):
File "httpd.py", line 12, in <module>
import ssl
What particular package might that be from?
Repro w/stunnel
Attached a new version with instructions to set up server with stunnel. Will probably need to delete the line "import ssl" in httpd.py to have it work.
Thank you. I can repeat the crash now...
Thanks for the report, this problem is now fixed in CVS!
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).