Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_multi_remove_handle crash after enabling http2 server push #1249

zelinchen opened this issue Feb 6, 2017 · 2 comments

curl_multi_remove_handle crash after enabling http2 server push #1249

zelinchen opened this issue Feb 6, 2017 · 2 comments


Copy link

I did this

Attachment is code modified from
The difference is that, it will remove easy handle before transfer is finished, instead of waiting for "CURLMSG_DONE".
In this case, it cause crash within curl_multi_remove_handle().

Here are part of the trace infromation from valgrind:

==23947== Process terminating with default action of signal 11 (SIGSEGV)
==23947==  Access not within mapped region at address 0xC
==23947==    at 0x40922B4: http2_disconnect (http2.c:137)
==23947==    by 0x405A1D6: Curl_disconnect (url.c:3024)
==23947==    by 0x40741FE: multi_done (multi.c:626)
==23947==    by 0x407440B: curl_multi_remove_handle (multi.c:727)
==23947==    by 0x804930D: main (curl_server_push_test.c:332)
==23947==  If you believe this happened as a result of a stack
==23947==  overflow in your program's main thread (unlikely but
==23947==  possible), you can try to increase the size of the
==23947==  main thread stack using the --main-stacksize= flag.
==23947==  The main thread stack size used in this run was 16777216.

I expected the following

No crash.

curl/libcurl version


operating system


Copy link

Here is the quick patch, works fine for me:

--- a/lib/http2.c       2016-12-19 15:27:56.000000000 +0800
+++ b/lib/http2.c       2017-02-07 10:11:20.882128999 +0800
@@ -415,6 +415,7 @@ static int push_promise(struct Curl_easy
     stream->push_headers = NULL;
+    stream->push_headers_used = 0;

     if(rv) {
       /* denied, kill off the new handle again */

@bagder bagder closed this as completed in d836123 Feb 7, 2017
Copy link

bagder commented Feb 7, 2017

Thanks! The fix is perfectly sensible.

@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

2 participants