cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2905220 ] multi + OpenSSL use after free - memory

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Tue, 08 Dec 2009 23:03:16 +0000

Bugs item #2905220, was opened at 2009-11-28 05:51
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: crash
Status: Open
Resolution: None
Priority: 6
Private: No
Submitted By: Constantine Sapuntzakis (csapuntz)
Assigned to: Daniel Stenberg (bagder)
Summary: multi + OpenSSL use after free - memory

Initial Comment:
curl_multi_cleanup calls curl_rm_connc eventually which calls conn_free which calls Curl_ossl_close which calls ssl3_shutdown.

ssl3_shutdown fails to send an alert packet (e.g. because the conn timed out) and then logs a message. This calls back into curl ssl_tls_trace. It tries
to use conn->data. But conn->data points to some long gone easy handle (I think). Use after free.

Index: url.c
===================================================================
--- url.c (revision 33084)
+++ url.c (working copy)
@@ -2825,6 +2825,7 @@
 ConnectionDone(struct connectdata *conn)
 {
   conn->inuse = FALSE;
+ conn->data = NULL;
 }
 
 /*

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2009-12-09 00:03

Message:
Thank you. I can repeat the crash now...

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-12-08 20:43

Message:
Attached a new version with instructions to set up server with stunnel.
Will probably need to delete the line "import ssl" in httpd.py to have it
work.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-12-08 20:03

Message:
$ python httpd.py --ssl=localhost.pem
Traceback (most recent call last):
  File "httpd.py", line 12, in <module>
    import ssl

What particular package might that be from?

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-30 04:03

Message:
Added example to the bug.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-11-29 20:09

Message:
Can you provide an example that repeats this problem?

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-28 06:41

Message:
More conservative diff.

Index: url.c
===================================================================
--- url.c (revision 33154)
+++ url.c (working copy)
@@ -2300,6 +2300,10 @@
   if(!conn)
     return;

+ /* Curl_ssl_close may lead to ssl_tls_trace being called. Make sure
that function
+ doesn't use an old easy handle that's been freed. */
+ conn->data = NULL;
+
   Curl_ssl_close(conn, FIRSTSOCKET);
   Curl_ssl_close(conn, SECONDARYSOCKET);

----------------------------------------------------------------------

Comment By: Constantine Sapuntzakis (csapuntz)
Date: 2009-11-28 06:20

Message:
Hmm... this causes a bunch of FTP tests to fail because QUIT Is no longer
issued.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2905220&group_id=976
Received on 2009-12-09

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET