If Curl_done is called with premature == TRUE we can't pipeline #690
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This prevents a crash in the following scenario:
2 (or more) requests are made to the same host and pipelining is enabled.
The first request times out. Curl_done will return early in this block
since conn->send_pipe->size == 1:
if((conn->send_pipe->size + conn->recv_pipe->size != 0 &&
!data->set.reuse_forbid &&
!conn->bits.close)) {
/* Stop if pipeline is not empty and we do not have to close
connection. */
DEBUGF(infof(data, "Connection still in use, no more Curl_done now!\n"));
return CURLE_OK;
}
When the second one fails it will not return early and will in fact
call Curl_disconnect which will free the connection.
When curl_easy_cleanup is called on the first request his easy_conn
pointer will be a dangling pointer and the app will crash.
ASAN output:
==7245==ERROR: AddressSanitizer: heap-use-after-free on address 0xda366d80 at pc 0x986d05b bp 0xd94b16d8 sp 0xd94b16c0
READ of size 4 at 0xda366d80 thread T16 (RESOURCE_HTTP)
#0 0x986d05a in curl_multi_remove_handle
curl#1 0x98a3e2b in Curl_close
curl#2 0x985abb5 in curl_easy_cleanup
curl#3 0x9777302 in <application frames>
curl#4 0xf7b2a016 in __asan::AsanThread::ThreadStart(unsigned long)
curl#5 0xf7b16f40 in asan_thread_start(void*)
curl#6 0xf7a971a9 in start_thread
curl#7 0xf681b02d in clone
0xda366d80 is located 0 bytes inside of 1100-byte region [0xda366d80,0xda3671cc)
freed by thread T16 (RESOURCE_HTTP) here:
#0 0xf7b1fa5a in free
curl#1 0x98b5948 in Curl_disconnect
curl#2 0x98d067d in Curl_done
curl#3 0x9875a61 in curl_multi_perform
curl#4 0x9758a71 in <application frames>
curl#5 0xf7b2a016 in __asan::AsanThread::ThreadStart(unsigned long)
curl#6 0xf681b02d in clone
jay
pushed a commit
that referenced
this pull request
Mar 1, 2016
Prevent a crash if 2 (or more) requests are made to the same host and pipelining is enabled and the connection does not complete. Bug: #690
|
Thanks, landed in 3c2ef2a. |
|
Thanks.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This prevents a crash in the following scenario:
2 (or more) requests are made to the same host and pipelining is enabled.
The first request times out. Curl_done will return early in this block
since conn->send_pipe->size == 1:
if((conn->send_pipe->size + conn->recv_pipe->size != 0 &&
!data->set.reuse_forbid &&
!conn->bits.close)) {
/* Stop if pipeline is not empty and we do not have to close
connection. */
DEBUGF(infof(data, "Connection still in use, no more Curl_done now!\n"));
return CURLE_OK;
}
When the second one fails it will not return early and will in fact
call Curl_disconnect which will free the connection.
When curl_easy_cleanup is called on the first request his easy_conn
pointer will be a dangling pointer and the app will crash.
ASAN output: