crash with -F file=@/directory #1053

Closed
tobypeterson opened this Issue Oct 3, 2016 · 1 comment

Projects

None yet

2 participants

@tobypeterson
tobypeterson commented Oct 3, 2016 edited

Easy to repro:

% curl -F file=@/tmp example.com
curl(32762,0x7fffc20493c0) malloc: *** error for object 0x7fdfe7400017: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

Crash introduced by commit c2a809cd265c37e7bbef55e64d70114d2f0d7189

The last goto added there is after newform has been added to list (formp), so curl then crashes since the list contains a freed entry.

Obvious fix is to move the list link adjustment to after the "if (size)" block, but then the error is rather vague:

curl: (43) A libcurl function was given a bad argument

curl 7.50.3, macOS Sierra

@bagder bagder added crash HTTP labels Oct 4, 2016
@bagder
Member
bagder commented Oct 4, 2016

Thanks!

I agree that the error message is annoyingly cryptic, but it is hard to fix easily since we have no struct Curl_easy handle to for example do custom error messages with. I think that's still the easy fix to go with and improving the error message is a more longer term fix. I'd like to add easy handles to a new set of curl_formadd() functions and deprecate the old functions that don't take any such argument and then lots of good opportunities will open.

So, I'll merge this easy fix now.

@bagder bagder added a commit that closed this issue Oct 4, 2016
@bagder bagder formpost: trying to attach a directory no longer crashes
The error path would previously add a freed entry to the linked list.

Reported-by: Toby Peterson

Fixes #1053
bdf162a
@bagder bagder closed this in bdf162a Oct 4, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment