Bugs item #3511794, was opened at 2012-03-27 00:38
Message generated for change (Settings changed) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3511794&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: client module
Group: crash
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Olaf Flebbe (oflebbe)
Assigned to: Daniel Stenberg (bagder)
Summary: curl core dump [PATCH]

Initial Comment:
It is possible to trigger a core dump in the debug output. ttool_cb_dbg.c (It may be called with CURLINFO_HEADER_OUT and size 0).

I triggered it accidentely while trying out curl in verbose mode with huge HTTP headers with HTTPS protocol on a tomcat service.

----------------------------------------------------------------------

Comment By: Yang Tse (yangtse)
Date: 2012-03-27 13:29

Message:
Your fix has been pushed as commit 4bdb664c to git repo.

Thanks a lot

----------------------------------------------------------------------

Comment By: Olaf Flebbe (oflebbe)
Date: 2012-03-27 08:33

Message:
Hi,

I have analysed the problem before:
Hope this writeup helps a lot more than a stack trace.

consider:
Curl_add_buffer_send()

It calls (http.c1076)

1076 res = Curl_write(conn, sockfd, ptr, sendsize, &amount);

This calls SSL_write (ssluse.c:2631)
it returns error code err=3 for this specific tomcat service in use with
this gigantic header.

It runs the following code for err=3:
            case SSL_ERROR_WANT_READ:
2638 case SSL_ERROR_WANT_WRITE:
2639 /* The operation did not complete; the same TLS/SSL I/O
function
2640 should be called again later. This is basically an
EWOULDBLOCK
(gdb)
2641 equivalent. */
2642 *curlcode = CURLE_AGAIN;
2643 return -1;

This calls sendf.c and CURLE_AGAIN is transformed to a 0 byte write and
CURLE_OK

256 switch(curlcode) {
257 case CURLE_AGAIN:
258 *written = 0;
259 return CURLE_OK;

Thus the

1076 res = Curl_write(conn, sockfd, ptr, sendsize, &amount);

ends with amount = 0 and res = CURLE_OK.(!)

This results later on in calling
Curl_debug with size == 0

calling
showit with size == 0

calling
tool_debug_cb with size == 0

iterating i over 0 to (size -1) (OOPS!)(tool_cb_dbg.c:110)

----------------------------------------------------------------------

Comment By: Yang Tse (yangtse)
Date: 2012-03-27 07:13

Message:
tool_debug_cb() could be modified to tolertae being called with a zero size
argument, but this situation most likely is revealing that there's a
problem somewhere else.

Would it be possible for you to build and use a debug enabled curl and
libcurl to trigger the problem again and provide a stack trace?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3511794&group_id=976
Received on 2012-04-01