multi: fix crash due to dangling entry in connect-pending list

Fixes #2677 Closes #2679
2025-01-11 05:58:01 -05:00 · 2018-06-22 20:11:26 -07:00 · 2018-06-22 20:11:26 -07:00 · 4c901638b4
commit 4c901638b4
parent 146178a9df
5 changed files with 109 additions and 2 deletions
--- a/lib/multi.c
+++ b/lib/multi.c
@ -712,6 +712,11 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
      Curl_getoff_all_pipelines(data, data->easy_conn);
  }

+  if(data->connect_queue.ptr)
+    /* the handle was in the pending list waiting for an available connection,
+       so go ahead and remove it */
+    Curl_llist_remove(&multi->pending, &data->connect_queue, NULL);
+
  if(data->dns.hostcachetype == HCACHE_MULTI) {
    /* stop using the multi handle's DNS cache, *after* the possible
       multi_done() call above */
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -175,7 +175,7 @@ test1520 test1521 \
 test1525 test1526 test1527 test1528 test1529 test1530 test1531 test1532 \
 test1533 test1534 test1535 test1536 test1537 test1538 \
 test1540 \
-test1550 test1551 test1552 test1553 test1554 test1555 test1556 \
+test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
 \
 test1590 \
 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \
--- a/tests/data/test1557
+++ b/tests/data/test1557
@ -0,0 +1,36 @@
+<testcase>
+<info>
+<keywords>
+multi
+crash
+</keywords>
+</info>
+
+<reply>
+</reply>
+
+<client>
+<server>
+none
+</server>
+<tool>
+lib1557
+</tool>
+
+<name>
+Removing easy handle that's in the pending connections list doesn't leave behind a dangling entry
+</name>
+<command>
+nothing
+</command>
+</client>
+
+#
+# Verify that the test runs to completion without crashing
+<verify>
+<errorcode>
+0
+</errorcode>
+</verify>
+
+</testcase>
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@ -28,7 +28,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
 lib1525 lib1526 lib1527 lib1528 lib1529 lib1530 lib1531 lib1532 lib1533 \
 lib1534 lib1535 lib1536 lib1537 lib1538 \
 lib1540 \
- lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 \
+ lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
 lib1900 \
 lib2033

@ -493,6 +493,10 @@ lib1556_SOURCES = lib1556.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1556_LDADD = $(TESTUTIL_LIBS)
 lib1556_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1556

+lib1557_SOURCES = lib1557.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+lib1557_LDADD = $(TESTUTIL_LIBS)
+lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557
+
 lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1900_LDADD = $(TESTUTIL_LIBS)
 lib1900_CPPFLAGS = $(AM_CPPFLAGS)
--- a/tests/libtest/lib1557.c
+++ b/tests/libtest/lib1557.c
@ -0,0 +1,62 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "test.h"
+
+#include "testutil.h"
+#include "warnless.h"
+#include "memdebug.h"
+
+int test(char *URL)
+{
+  CURLM *curlm = NULL;
+  CURL *curl1 = NULL;
+  CURL *curl2 = NULL;
+  int running_handles = 0;
+  int res = 0;
+
+  global_init(CURL_GLOBAL_ALL);
+
+  multi_init(curlm);
+  multi_setopt(curlm, CURLMOPT_MAX_HOST_CONNECTIONS, 1);
+
+  easy_init(curl1);
+  easy_setopt(curl1, CURLOPT_URL, URL);
+  multi_add_handle(curlm, curl1);
+
+  easy_init(curl2);
+  easy_setopt(curl2, CURLOPT_URL, URL);
+  multi_add_handle(curlm, curl2);
+
+  multi_perform(curlm, &running_handles);
+
+  multi_remove_handle(curlm, curl2);
+  curl_easy_cleanup(curl2);
+
+  /* If curl2 is still in the connect-pending list, this will crash */
+  multi_remove_handle(curlm, curl1);
+  curl_easy_cleanup(curl1);
+
+test_cleanup:
+  curl_multi_cleanup(curlm);
+  curl_global_cleanup();
+  return res;
+}