Use heap after free in libcurl linked with Schannel

[sergio-nsk]

From here, in multi_runsingle() on the line curl/lib/multi.c:1934, host.rawalloc is freed: Curl_safefree(existing->host.rawalloc);

1: 0x1870da80 is located 0 bytes inside of 26-byte region [0x1870da80,0x1870da9a)
1: freed by thread T0 here:
1:     #0 0x14ba221 in free D:\a01\_work\38\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cpp:109
1:     #1 0x1b2323c in reuse_conn C:\actions-runner\_work\client\client\third-party\curl\lib\url.c:3387
1:     #2 0x1b1bde6 in create_conn C:\actions-runner\_work\client\client\third-party\curl\lib\url.c:3747
1:     #3 0x1b16b0c in Curl_connect C:\actions-runner\_work\client\client\third-party\curl\lib\url.c:3946
1:     #4 0x1b02c71 in multi_runsingle C:\actions-runner\_work\client\client\third-party\curl\lib\multi.c:1934

Later in the same function multi_runsingle() on the line curl/lib/multi.c:2469, it calls schannel_shutdown() on the line curl/lib/vtls/schannel.c:2505 that accesses connssl->hostname that definitely points to somewhere inside the freed memory.

1: ==476==ERROR: AddressSanitizer: heap-use-after-free on address 0x1870da80 at pc 0x014bf5f9 bp 0x004f779c sp 0x004f7790
1: READ of size 3 at 0x1870da80 thread T0
1:     #0 0x14bf611 in __asan_wrap_strlen D:\a01\_work\38\s\src\vctools\crt\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:375
1:     #1 0x1b6b684 in dprintf_formatf C:\actions-runner\_work\client\client\third-party\curl\lib\mprintf.c:842
1:     #2 0x1b6[864](https://github.com/snxd/client/actions/runs/3934099623/jobs/6728495573#step:8:865)c in curl_mvsnprintf C:\actions-runner\_work\client\client\third-party\curl\lib\mprintf.c:1036
1:     #3 0x1b372c7 in Curl_infof C:\actions-runner\_work\client\client\third-party\curl\lib\sendf.c:251
1:     #4 0x1b84d36 in schannel_shutdown C:\actions-runner\_work\client\client\third-party\curl\lib\vtls\schannel.c:2505
1:     #5 0x1b8542f in schannel_close C:\actions-runner\_work\client\client\third-party\curl\lib\vtls\schannel.c:2596
1:     #6 0x1b2d654 in cf_close C:\actions-runner\_work\client\client\third-party\curl\lib\vtls\vtls.c:1439
1:     #7 0x1b2810f in ssl_cf_close C:\actions-runner\_work\client\client\third-party\curl\lib\vtls\vtls.c:1488
1:     #8 0x1b62c62 in Curl_conn_close C:\actions-runner\_work\client\client\third-party\curl\lib\cfilters.c:155
1:     #9 0x1b1ac21 in conn_shutdown C:\actions-runner\_work\client\client\third-party\curl\lib\url.c:749
1:     #10 0x1b16fa1 in Curl_disconnect C:\actions-runner\_work\client\client\third-party\curl\lib\url.c:861
1:     #11 0x1b01e9a in multi_done C:\actions-runner\_work\client\client\third-party\curl\lib\multi.c:721
1:     #12 0x1b03fe0 in multi_runsingle C:\actions-runner\_work\client\client\third-party\curl\lib\multi.c:2469

This seems to be similar to the issue #10273

cUrl version

libcurl v7.87.0

operating system

Windows 10, Windows 11

[dfandrich]

Does this reproduce on the ver. 7.87.0? Your version is over two years old and we've fixed over 2100 bugs since then.

[sergio-nsk]

@dfandrich It's an issue of libcurl v7.87.0. It was a typo in the initial post, then I edited it.

[icing]

@sergio-nsk thanks for the details. I can now understand what happens here and it seems indeed the same cause as in #10273. Working on a fix.

[icing]

Please see #10310 as a fix for this and #10273.

[sergio-nsk]

@icing I have tried the fix. It seems to fix the issue. Great job, thank you.

Hope to get a corrective release 7.87.1 soon.