(Unified post of the recent messages)

Hello.

I think, I found a bug of libCURL.

I wrote a daemon tool which has asynchronous function calls and where a websites are called every 60 seconds with a timeout of 30 seconds. The daemon crashed after a few hours. On the screen I see "Speicherzugriffsfehler" (German for "Memory access error" = Segmentation Fault?)

With the GDB Tool I see that the segmentation fault comes everytime from curl_escape(). The output of GDB is:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216652384 (LWP 23994)]
0xb7cf888a in curl_escape () from /usr/lib/libcurl.so.3

I use G++ on a Linux Debian Etch with LibCURL3. I installed the library with "apd-get install libcurl3-dev" and I think I have the current stable libcurl version for my Debian system. "curl -v" shows me:

curl 7.15.5 (i486-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3
libidn/0.6.5
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Compile with
g++ -g -Wall -ansi -pedantic -lcurl -o programmname main.c;

Now I could create a test program where the access violation appears after a few seconds. And that is the source code of the crash-demo-application:

#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include <sstream>
#include <string.h>
#include <curl/curl.h>

using namespace std;

bool http_call () {
        CURL *curl;

        curl = curl_easy_init();
        if(curl) {
                curl_easy_setopt(curl, CURLOPT_URL, "http://www.example.com/");

                string buffer;
                curl_easy_setopt(curl, CURLOPT_WRITEDATA, &buffer);

                curl_easy_setopt(curl, CURLOPT_TIMEOUT, 1); // 1 Sekunde provoziert die AV stark

                CURLcode res;
                res = curl_easy_perform(curl);

                curl_easy_cleanup(curl);

                return (res == CURLE_OK);
        } else return false;
}

int main(void) {
        while (true) {
                cout << "A" << ::std::endl;
                http_call();
                sleep(2);
        }
        return 0;
}

When I set the interval to 2 seconds and the timeout to 1 second, the bug appears very often. Usually, this should not be. The HTTP call should be unsuccessful, but the program may not crash because of that.

Note: Of course, this is not my real source code. I abstracted my 500 lines source code and removed every line that did not make the crash remove. And so, this minimal-program-code above could reconstruct the bug. The bug appears with writer function as well as without.

Here is my http function in the original case (before I did abstract to the
minimal crash-demo-application - and it crashes with the same error):

// Copied this function from haxx.se
static int writer(char *data, size_t size, size_t nmemb, std::string *buffer)
{
    // What we will return
    int result = 0;

    // Is there anything in the buffer?
    if (buffer != NULL)
    {
        // Append the data to the buffer
        buffer->append(data, size * nmemb);

        // How much did we write?
        result = size * nmemb;
    }

    return result;
}

static bool http_call (string url) {
    CURL *curl;

    logEvent(VERBOSE_LEVEL_DEBUG, "Calling URL: " + url);

    curl = curl_easy_init();
    if(curl) {
        // URL übergeben
        curl_easy_setopt(curl, CURLOPT_URL, url.c_str());

        // Keine Kopfzeile einblenden
        curl_easy_setopt(curl, CURLOPT_HEADER, false);

        // Verbindung danach beenden
        curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, true);

        // Pufferoptionen
        char errorBuffer[CURL_ERROR_SIZE];
        curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorBuffer);
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writer);
        string buffer;
        curl_easy_setopt(curl, CURLOPT_WRITEDATA, &buffer);

        // Benutzerdefinierter User-Agent-Name
        curl_easy_setopt(curl, CURLOPT_USERAGENT, "Hello World Browser");

        // Einen Timeout setzen
        curl_easy_setopt(curl, CURLOPT_TIMEOUT, 1);

        // Weiterleitungen beachten, aber nur max. 50x
        curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
        curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 50);

        // Einen HTTP-Fehler-Statuscode beachten
        curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);

        // SSL-Zertifikate nicht prüfen (Warnung! Sicherheitslücke)
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, false);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);

        // Abfrage ausführen und Resultat speichern
        CURLcode res;
        res = curl_easy_perform(curl);

        // Clean up
        curl_easy_cleanup(curl);

        // Alles OK?
        if (res == CURLE_OK)
        {
            logEvent(VERBOSE_LEVEL_DEBUG, "URL successfully entered.");

            if (buffer != "\0") {
                logEvent(VERBOSE_LEVEL_DEBUG, "There was an output: " + buffer);
            } else {
                logEvent(VERBOSE_LEVEL_DEBUG, "There was no output.");
            }
            return true;
        }
        else
        {
            logEvent(VERBOSE_LEVEL_DEBUG, "Error while entering address: [" + IntToStr(res) + "] - " + errorBuffer);
            return false;
        }
    } else return false;
}

I think that is a bug of cURL. Please reply. If neccessary, I can append the original linux binary file I compiled.

Best regards
Daniel Marschall
Received on 2009-02-03