Skip to content
  1. Oct 22, 2016
    • Anders Bakken's avatar
      curl_multi_remove_handle: fix a double-free · 406506ca
      Anders Bakken authored
      In short the easy handle needs to be disconnected from its connection at
      this point since the connection still is serving other easy handles.
      
      In our app we can reliably reproduce a crash in our http2 stress test
      that is fixed by this change. I can't easily reproduce the same test in
      a small example.
      
      This is the gdb/asan output:
      
      ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
      READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
          #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
      
      0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
      freed by thread T13 (RESOURCE_HTTP) here:
          #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
          #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
          #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
          #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
          #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
          #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
          #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
          #7 0x9c445e0 in ...
          #8 0x9c4cf1d in ...
          #9 0xa2be6b5 in ...
          #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
          #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
      
      previously allocated by thread T13 (RESOURCE_HTTP) here:
          #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
          #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
          #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
          #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
          #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
          #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
          #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
          #7 0x9c445e0 in ...
          #8 0x9c4cf1d in ...
          #9 0xa2be6b5 in ...
          #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
          #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
      
      SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
      Shadow bytes around the buggy address:
        0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
        0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==11785==ABORTING
      
      Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
      [Switching to Thread 0xf27bfb40 (LWP 12324)]
      0xf7fd8be9 in __kernel_vsyscall ()
       (gdb) bt
       #0  0xf7fd8be9 in __kernel_vsyscall ()
       #1  0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
       #2  0xf4c803e7 in __GI_abort () at abort.c:89
       #3  0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
       #4  0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
       #5  0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
       #6  0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
       #7  0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
       #8  0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
       #9  0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
       #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
       #11 0x09c6de3f in ...
       #12 0x09c378c5 in ...
       #13 0x09c48133 in ...
       #14 0x09c4d092 in ...
       #15 0x0a2be6b6 in ...
       #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
       #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
       #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
      
      Fixes #1083
      406506ca
    • Daniel Stenberg's avatar
      fc458679
    • Daniel Stenberg's avatar
      testcurl.1: update URLs · a84e0713
      Daniel Stenberg authored
      a84e0713
  2. Oct 21, 2016
  3. Oct 20, 2016
  4. Oct 19, 2016
    • Daniel Stenberg's avatar
      curl_multi_add_handle: set timeouts in closure handles · 5c3d8d20
      Daniel Stenberg authored
      The closure handle only ever has default timeouts set. To improve the
      state somewhat we clone the timeouts from each added handle so that the
      closure handle always has the same timeouts as the most recently added
      easy handle.
      
      Fixes #739
      5c3d8d20
  5. Oct 18, 2016
  6. Oct 17, 2016
  7. Oct 16, 2016
  8. Oct 14, 2016
  9. Oct 13, 2016
  10. Oct 12, 2016
  11. Oct 11, 2016
  12. Oct 10, 2016
  13. Oct 08, 2016