Jari Sundell did some excellent research and bug tracking, figured out that

we did wrong and patched it: When nodes were removed from the splay tree, and we didn't properly remove it from the splay tree when an easy handle was removed from a multi stack and thus we could wrongly leave a node in the splay tree pointing to (bad) memory.
2006-07-17 18:35:58 +00:00 · 2006-07-17 18:35:58 +00:00 · 06d05b18b2
parent 431c4bd6e3
commit 06d05b18b2
3 changed files with 33 additions and 2 deletions
--- a/7
+++ b/7
@ -6,6 +6,13 @@

                                  Changelog

+Daniel (17 July 2006)
+- Jari Sundell did some excellent research and bug tracking, figured out that
+  we did wrong and patched it: When nodes were removed from the splay tree,
+  and we didn't properly remove it from the splay tree when an easy handle was
+  removed from a multi stack and thus we could wrongly leave a node in the
+  splay tree pointing to (bad) memory.
+
 Daniel (14 July 2006)
 - David McCreedy fixed a flaw where the CRLF counter wasn't properly cleared
  for FTP ASCII transfers.
--- a/3
+++ b/3
@ -18,6 +18,7 @@ This release includes the following changes:

 This release includes the following bugfixes:

+ o splay-tree related problems for internal expire time handling
 o FTP ASCII CRLF counter reset
 o cookie parser now compares paths case sensitive
 o an easy handle with shared DNS cache added to a multi handle caused a crash
@ -39,6 +40,6 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:

 Dan Fandrich, Peter Silva, Arve Knudsen, Michael Wallner, Toshiyuki Maezawa,
- Ingmar Runge, Ates Goral, David McCreedy
+ Ingmar Runge, Ates Goral, David McCreedy, Jari Sundell

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/multi.c
+++ b/lib/multi.c
@ -381,6 +381,11 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
    /* If the 'state' is not INIT or COMPLETED, we might need to do something
       nice to put the easy_handle in a good known state when this returns. */

+    /* The timer must be shut down before easy->multi is set to NULL,
+       else the timenode will remain in the splay tree after
+       curl_easy_cleanup is called. */
+    Curl_expire(easy->easy_handle, 0);
+
    if(easy->easy_handle->dns.hostcachetype == HCACHE_MULTI) {
      /* clear out the usage of the shared DNS cache */
      easy->easy_handle->dns.hostcache = NULL;
@ -962,6 +967,17 @@ CURLMcode curl_multi_perform(CURLM *multi_handle, int *running_handles)
    int key = now.tv_sec; /* drop the usec part */

    multi->timetree = Curl_splaygetbest(key, multi->timetree, &t);
+
+    if (t) {
+      struct SessionHandle *d = t->payload;
+      struct timeval* tv = &d->state.expiretime;
+
+      /* clear the expire times within the handles that we remove from the
+         splay tree */
+      tv->tv_sec = 0;
+      tv->tv_usec = 0;
+    }
+
  } while(t);

  return returncode;
@ -1207,8 +1223,15 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
    key = now.tv_sec; /* drop the usec part */

    multi->timetree = Curl_splaygetbest(key, multi->timetree, &t);
-    if(t)
+    if(t) {
+      /* assign 'data' to be the easy handle we just removed from the splay
+         tree */
      data = t->payload;
+      /* clear the expire time within the handle we removed from the
+         splay tree */
+      data->state.expiretime.tv_sec = 0;
+      data->state.expiretime.tv_usec = 0;
+    }

  } while(t);