- Constantine Sapuntzakis identified a write after close, as the sockets were (504e6d7a) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

CHANGES

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -7,6 +7,10 @@
	Changelog		Changelog

	Daniel Stenberg (20 Nov 2009)		Daniel Stenberg (20 Nov 2009)
			- Constantine Sapuntzakis identified a write after close, as the sockets were
			closed by libcurl before the SSL lib were shutdown and they may write to its
			socket. Detected to at least happen with OpenSSL builds.

	- Jad Chamcham pointed out a bug with connection re-use. If a connection had		- Jad Chamcham pointed out a bug with connection re-use. If a connection had
	CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the		CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
	same proxy with the tunnel option disabled would still wrongly re-use that		same proxy with the tunnel option disabled would still wrongly re-use that

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -24,6 +24,7 @@ This release includes the following bugfixes:
	o don't store LDFLAGS in pkg-config file		o don't store LDFLAGS in pkg-config file
	o never-pruned DNS cached entries		o never-pruned DNS cached entries
	o HTTP proxy tunnel re-used connection even if tunnel got disabled		o HTTP proxy tunnel re-used connection even if tunnel got disabled
			o SSL lib post-close write

	This release includes the following known bugs:		This release includes the following known bugs:

+5 −3

Original line number	Original line	Diff line number	Diff line
	@@ -2300,6 +2300,11 @@ static void conn_free(struct connectdata *conn)
	if(!conn)		if(!conn)
	return;		return;

			/* close the SSL stuff before we close any sockets since they will/may
			write to the sockets */
			Curl_ssl_close(conn, FIRSTSOCKET);
			Curl_ssl_close(conn, SECONDARYSOCKET);

	/* close possibly still open sockets */		/* close possibly still open sockets */
	if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])		if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
	sclose(conn->sock[SECONDARYSOCKET]);		sclose(conn->sock[SECONDARYSOCKET]);
	@@ -2336,9 +2341,6 @@ static void conn_free(struct connectdata *conn)
	Curl_destroy_thread_data(&conn->async);		Curl_destroy_thread_data(&conn->async);
	#endif		#endif

	Curl_ssl_close(conn, FIRSTSOCKET);
	Curl_ssl_close(conn, SECONDARYSOCKET);

	Curl_free_ssl_config(&conn->ssl_config);		Curl_free_ssl_config(&conn->ssl_config);

	free(conn); /* free all the connection oriented data */		free(conn); /* free all the connection oriented data */