-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free with HTTP3 #12356
Comments
/cc @icing |
@lemourin Can you trigger this against a public URL? |
I fail to reproduce this in my end on Linux. I tried both 8.4.0 and current master, with SAN builds and just valgrind. But based on the stack trace, this looks like we get data on a stream that belongs to a transfer we already closed and freed the easy handle for, so we use a dangling pointer. @icing, do you think this is what happens? If so, we need to add better precautions to prevent this from happening... |
It looks like the easy cleanup is called before the transfer is done. Currently working on a PR. My read is that easy_cleanup, by first detaching the connection, prevented the |
- refs curl#12356 where a UAF is reported when closing a connection with a stream whose easy handle was cleaned up already - handle DETACH events same as DONE events in h2/h3 filters
@lemourin would you be able to throw the PR into your app? It seems a condition that cannot be triggered by the |
Seems to be working. Thanks for the quick fix! |
I did this
I've built my app with curl + HTTP3 (via quictls + ngtcp2 + nghttp3). On windows (built with MSVC) it crashes 100% of times, on macOS or Android it is very hard to repro the crash (easy to repro with curl 8.4.0). ASAN dump:
NB. the app works fine when built with HTTP2 only
If needed I can provide curl debug logs as well.
I expected the following
No crash.
curl/libcurl version
curl head (fa71483) with quictls (openssl-3.1.4+quic), ngtcp2 (v1.0.1), nghttp3 (v1.0.0).
operating system
Windows 11
The text was updated successfully, but these errors were encountered: