Bugs item #2868910, was opened at 2009-09-28 17:07
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2868910&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: crash
>Status: Pending
>Resolution: Works For Me
Priority: 5
Private: No
Submitted By: Tomek Bury (tomekbury)
Assigned to: Daniel Stenberg (bagder)
Summary: dangling pointer on reused ssl connections

Initial Comment:
When libCurl reuses existing SSL/TLS connection it doesn't call ssl ctx function set by CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA. Instead it blindly reuses ssl context modified by whichever easy request was using it previously.

As result, example code using ssl ctx callback to call SSL_CTX_set_cert_verify_callback (as per curlx.c example) may lead to use of dangling pointer.

Scenario:

1. easy reqest 1 sets CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA, data points to request's data.
2. easy_perform called on reqest 1 triggers ssl ctx function, which in turn calls SSL_CTX_set_cert_verify_callback
3. later on verify callback fires and uses request's data.
4. request 1 completes, request's data is deleted

so far so good...

5. easy reqest 1 sets CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA, data points to 2nd request's data.
6. easy_perform called on request 2 does NOT triggers ssl ctx function
7. later on verify callback fires and uses the 1st request's data but now it's a dangling pointer- .
8. memory corruption

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2009-10-21 16:53

Message:
Can you please provide an example source code that shows a memory
corruption case that isn't the fault of the app?

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-10-01 10:48

Message:
I don't see how that memory corruption is really libcurl's fault, since it
doesn't call the callback the app clearly knows this and should act
accordingly.

But the fact that it doesn't call the ssl context callback on a re-used
connection might be something to adress. I've personally not that into
exactly what that context/callback is typically used for so I don't know
how such a change might impact existing users. It does require tweaking the
code somewhat though to make it act this way.

----------------------------------------------------------------------

Comment By: Tomek Bury (tomekbury)
Date: 2009-09-28 18:52

Message:
I made a typo:

5. easy request 1 - should be request 2, not 1.

The whole point is that changes made to ssl context by one easy handle are
silently reused by different, unrelated easy handle.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2868910&group_id=976
Received on 2009-10-21