heap-use-after-free with HTTP3 #12356
I did this
I've built my app with curl + HTTP3 (via quictls + ngtcp2 + nghttp3). On windows (built with MSVC) it crashes 100% of times, on macOS or Android it is very hard to repro the crash (easy to repro with curl 8.4.0). ASAN dump:
NB. the app works fine when built with HTTP2 only
If needed I can provide curl debug logs as well.
I expected the following
The text was updated successfully, but these errors were encountered:
I fail to reproduce this in my end on Linux. I tried both 8.4.0 and current master, with SAN builds and just valgrind.
But based on the stack trace, this looks like we get data on a stream that belongs to a transfer we already closed and freed the easy handle for, so we use a dangling pointer.
@icing, do you think this is what happens? If so, we need to add better precautions to prevent this from happening...
It looks like the easy cleanup is called before the transfer is done. Currently working on a PR.
My read is that easy_cleanup, by first detaching the connection, prevented the