moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

Lots of work and analysis by "xbx___" in bug #1431750

Browse Source 
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
different but related bugs:

1) Removing an easy handle from a multi handle before the transfer is done
   could leave a connection in the connection cache for that handle that is
   in a state that isn't suitable for re-use. A subsequent re-use could then
   read from a NULL pointer and segfault.

2) When an easy handle was removed from the multi handle, there could be an
   outstanding c-ares DNS name resolve request. When the response arrived,
   it caused havoc since the connection struct it "belonged" to could've
   been freed already.

Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
This commit is contained in:
Daniel Stenberg 2006-02-23 12:20:48 +00:00
parent d29147565c
commit 6fdbb01194
5 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGES
View File

@ -6,6 +6,25 @@
Changelog Changelog
Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
different but related bugs:
1) Removing an easy handle from a multi handle before the transfer is done
could leave a connection in the connection cache for that handle that is
in a state that isn't suitable for re-use. A subsequent re-use could then
read from a NULL pointer and segfault.
2) When an easy handle was removed from the multi handle, there could be an
outstanding c-ares DNS name resolve request. When the response arrived,
it caused havoc since the connection struct it "belonged" to could've
been freed already.
Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
Daniel (21 February 2006) Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy - Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
type to the already provided type CURLPROXY_SOCKS4. type to the already provided type CURLPROXY_SOCKS4.

2
RELEASE-NOTES
View File

@ -22,6 +22,8 @@ This release includes the following changes:
This release includes the following bugfixes: This release includes the following bugfixes:
o two bugs concerning using curl_multi_remove_handle() before the transfer
was complete
o multi-pass authentication and compressed content o multi-pass authentication and compressed content
o minor format string mistake in the GSS/Negotiate code o minor format string mistake in the GSS/Negotiate code
o cached DNS entries could remain in the cache too long o cached DNS entries could remain in the cache too long

3
lib/hostip.h
View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -82,6 +82,7 @@
#define CURL_ASYNC_SUCCESS ARES_SUCCESS #define CURL_ASYNC_SUCCESS ARES_SUCCESS
#else #else
#define CURL_ASYNC_SUCCESS CURLE_OK #define CURL_ASYNC_SUCCESS CURLE_OK
#define ares_cancel(x)
#endif #endif
/* /*

6
lib/multi.c
View File

@ -92,10 +92,10 @@ struct Curl_one_easy {
int msg_num; /* number of messages left in 'msg' to return */ int msg_num; /* number of messages left in 'msg' to return */
}; };
#define CURL_MULTI_HANDLE 0x000bab1e #define CURL_MULTI_HANDLE 0x000bab1e
#define GOOD_MULTI_HANDLE(x) ((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE)) #define GOOD_MULTI_HANDLE(x) \
((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE))
#define GOOD_EASY_HANDLE(x) (x) #define GOOD_EASY_HANDLE(x) (x)
/* This is the struct known as CURLM on the outside */ /* This is the struct known as CURLM on the outside */
@ -245,6 +245,8 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
Curl_easy_addmulti(easy->easy_handle, NULL); /* clear the association Curl_easy_addmulti(easy->easy_handle, NULL); /* clear the association
to this multi handle */ to this multi handle */
Curl_done(&easy->easy_conn, easy->result);
/* make the previous node point to our next */ /* make the previous node point to our next */
if(easy->prev) if(easy->prev)
easy->prev->next = easy->next; easy->prev->next = easy->next;

6
lib/url.c
View File

@ -3654,7 +3654,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
/* Continue connectdata initialization here. /* Continue connectdata initialization here.
* *
* Inherit the proper values from the urldata struct AFTER we have arranged * Inherit the proper values from the urldata struct AFTER we have arranged
* the persistent conncetion stuff */ * the persistent connection stuff */
conn->fread = data->set.fread; conn->fread = data->set.fread;
conn->fread_in = data->set.in; conn->fread_in = data->set.in;
@ -3999,6 +3999,10 @@ CURLcode Curl_done(struct connectdata **connp,
Curl_pgrsDone(conn); /* done with the operation */ Curl_pgrsDone(conn); /* done with the operation */
/* for ares-using, make sure all possible outstanding requests are properly
cancelled before we proceed */
ares_cancel(data->state.areschannel);
/* if data->set.reuse_forbid is TRUE, it means the libcurl client has /* if data->set.reuse_forbid is TRUE, it means the libcurl client has
forced us to close this no matter what we think. forced us to close this no matter what we think.