New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in imap_done when calling curl_multi_remove_handle() #1953
Comments
In stack frame The monster condition looks like:
So which of these was set to make the code execute this block? I'm trying to reproduce this with a test case but I don't quite understand the setup yet. |
If you need more, let me know. |
in fact, here's a printout of imap and data in case it helps: https://gist.github.com/cmeister2/e0df6ecdeda744ba90a362fbec3b879b |
In case it's relevant:
curl_mime_addpart calls this code:
(there's a bug here, but that's separate). |
Also of note is that with #1957 this doesn't reproduce; probably because we're not in WAITRESOLVE state? |
A note to make here is that it has a mime stream set, but upload is false... |
When imap_done() got called before a connection is setup, it would try to "finish up" and dereffed a NULL pointer. Test case 1153 managed to reproduce. I had to actually use a host name to try to resolve to slow it down, as using the normal local server IP will make libcurl get a connection in the first curl_multi_perform() loop and then the bug doesn't trigger. Fixes #1953 Assisted-by: Max Dymond
7f1140c appears to have triggered this behaviour in the fuzzer, which makes this PR a priority to get in. |
I did this
Added
curl_multi_remove_handle()
to the fuzzer and checked it against CI.I expected the following
Not to hit a segfault...
Broken build is here: https://travis-ci.org/curl/curl-fuzzer/jobs/283918193
Verbose logs add on some context:
The issue appears to be calling this code:
From gdb,
pp.conn
is NULL, and therefore we get a segfault when trying to deref a NULL pointer inCurl_pp_vsendf
curl/libcurl version
devel
operating system
kali + ubuntu.
The text was updated successfully, but these errors were encountered: