mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
Eygene Ryabinkin fixed a use-after-free issue with HTTP transfers with the
multi interface
This commit is contained in:
parent
0dc570862a
commit
09c70dec08
20
CHANGES
20
CHANGES
@ -7,6 +7,26 @@
|
|||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
Daniel (10 March 2007)
|
Daniel (10 March 2007)
|
||||||
|
- Eygene Ryabinkin:
|
||||||
|
|
||||||
|
The problem is the following: when we're calling Curl_done and it decides to
|
||||||
|
keep the connection opened ('left intact'), then the caller is not notified
|
||||||
|
that the connection was done via the NULLifying of the pointer, so some easy
|
||||||
|
handle is keeping the pointer to this connection.
|
||||||
|
|
||||||
|
Later ConnectionExists can select such connection for reuse even if we're
|
||||||
|
not pipelining: pipeLen is zero, so the (pipeLen > 0 && !canPipeline) is
|
||||||
|
false and we can reuse this connection for another easy handle. But thus the
|
||||||
|
connection will be shared between two easy handles if the handle that wants
|
||||||
|
to take the ownership is not the same as was not notified of the connection
|
||||||
|
was done in Curl_done. And when some of these easy handles will get their
|
||||||
|
connection really freed the another one will still keep the pointer.
|
||||||
|
|
||||||
|
My fix was rather trivial: I just added the NULLification to the 'else'
|
||||||
|
branch in the Curl_done. My tests with Git and ElectricFence showed no
|
||||||
|
problems both for HTTP pulling and cloning. Repository size is about 250 Mb,
|
||||||
|
so it was a considerable amount of Curl's work.
|
||||||
|
|
||||||
- Bryan Henderson introduces two things:
|
- Bryan Henderson introduces two things:
|
||||||
1) the progress callback gets called more frequently (at times)
|
1) the progress callback gets called more frequently (at times)
|
||||||
2) libcurl *might* call the callback when it receives a signal:
|
2) libcurl *might* call the callback when it receives a signal:
|
||||||
|
@ -41,6 +41,7 @@ This release includes the following bugfixes:
|
|||||||
o CURLOPT_INTERFACE for ipv6
|
o CURLOPT_INTERFACE for ipv6
|
||||||
o the progress callback can get called more frequently
|
o the progress callback can get called more frequently
|
||||||
o libcurl might call the progress callback when it receives a signal
|
o libcurl might call the progress callback when it receives a signal
|
||||||
|
o use-after-free issue with HTTP transfers with the multi interface
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
@ -62,6 +63,6 @@ advice from friends like these:
|
|||||||
Rob Crittenden, Robert A. Monat, Dan Fandrich, Duncan Mac-Vicar Prett,
|
Rob Crittenden, Robert A. Monat, Dan Fandrich, Duncan Mac-Vicar Prett,
|
||||||
Michal Marek, Robson Braga Araujo, Ian Turner, Linus Nielsen Feltzing,
|
Michal Marek, Robson Braga Araujo, Ian Turner, Linus Nielsen Feltzing,
|
||||||
Ravi Pratap, Adam D. Moss, Jose Kahan, Hang Kin Lau, Justin Fletcher,
|
Ravi Pratap, Adam D. Moss, Jose Kahan, Hang Kin Lau, Justin Fletcher,
|
||||||
Robert Iakobashvili, Bryan Henderson
|
Robert Iakobashvili, Bryan Henderson, Eygene Ryabinkin
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
@ -4240,6 +4240,10 @@ CURLcode Curl_done(struct connectdata **connp,
|
|||||||
infof(data, "Connection #%ld to host %s left intact\n",
|
infof(data, "Connection #%ld to host %s left intact\n",
|
||||||
conn->connectindex,
|
conn->connectindex,
|
||||||
conn->bits.httpproxy?conn->proxy.dispname:conn->host.dispname);
|
conn->bits.httpproxy?conn->proxy.dispname:conn->host.dispname);
|
||||||
|
|
||||||
|
*connp = NULL; /* to make the caller of this function better detect that
|
||||||
|
this connection is handed over and no longer used from
|
||||||
|
this point on */
|
||||||
}
|
}
|
||||||
|
|
||||||
return result;
|
return result;
|
||||||
|
Loading…
Reference in New Issue
Block a user