cURL / Mailing Lists / curl-library / Single Mail

curl-library

infinite loop within curl/gnurl 7.34.0

From: Christian Grothoff <christian_at_grothoff.org>
Date: Sun, 09 Mar 2014 23:16:21 +0100

I just wanted to report an infinite loop that I'm seeing deep inside
curl 7.34.0 on FreeBSD (100% reproduceable with the
'test_gnunet_daemon_hostlist' of GNUnet on our buildbot).

The loop starts here:

connect.c:
1108 while(res != CURLE_OK &&
1109 conn->tempaddr[0] && │
1110 conn->tempaddr[0]->ai_next &&
1111 conn->tempsock[0] == CURL_SOCKET_BAD)
1112 res = trynextip(conn, FIRSTSOCKET, 0);

Situation:

(gdb) print *conn->tempaddr[0]->ai_next
$10 = {ai_flags = 0, ai_family = 28, ai_socktype = 1, ai_protocol = 6,
ai_addrlen = 28, ai_canonname = 0x0, ai_addr = 0x804503d68, ai_next = 0x0}

Jumps to connect.c::trynextip, enters true branches at 547 and 551,
obtains 'family = 2' but gets

(gdb) print ai
$14 = (Curl_addrinfo *) 0x804417888
(gdb) print *ai
$15 = {ai_flags = 0, ai_family = 28, ai_socktype = 1, ai_protocol = 6,
ai_addrlen = 28, ai_canonname = 0x0, ai_addr = 0x804503d68, ai_next = 0x0}

Note that ai_family != family here. The 'while(ai)' loop is entered
once, the loop that then matches ai->ai_family with family results
in 'ai = NULL' immediately; thus the 'if (ai)' on line 567 is never
entered.

"if" on 579 is also skipped, we return 'rc = CURLE_COULDNT_CONNECT'.

State is unchanged, while loop in connect.c:1108 goes into the next
iteration with exactly the same, unchanged program state -- forever.

Analysis:
=========
Seems to me that if there is no address matching the desired address
family, the code simply fails to update the address pointer.

Happy hacking!

Christian

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-03-09