Skip to content

lib: sometimes we call Curl_dyn_free() on uninitialized dynbufs #16725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder opened this issue Mar 14, 2025 · 3 comments
Closed

lib: sometimes we call Curl_dyn_free() on uninitialized dynbufs #16725

bagder opened this issue Mar 14, 2025 · 3 comments
Assignees
@icing
Labels
tidy-up

Comments

@bagder
Copy link
Member

bagder commented Mar 14, 2025

I did this

I added an assert in Curl_dyn_free() to make sure we only free dynbufs that are properly initialized first. (See patch below.)

This leads to a number of failures where existing code assumes that freeing uninitialized dynbufs is fine. As long as the struct is otherwise cleared, this is actually fine, but is a fragile thing to depend on. Plus, without the assert we cannot easily detect if the free is done on a dynbuf that was not cleared.

--- a/lib/dynbuf.c
+++ b/lib/dynbuf.c
@@ -57,10 +57,11 @@ void Curl_dyn_init(struct dynbuf *s, size_t toobig)
  * 'init' field and thus this buffer can be reused to add data to again.
  */
 void Curl_dyn_free(struct dynbuf *s)
 {
   DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
   Curl_safefree(s->bufr);
   s->leng = s->allc = 0;
 }
 
 /*

I expected the following

Curl_dyn_free() should only free dynbufs that have been initialized with Curl_dyn_init()-

curl/libcurl version

git master

operating system

all
@bagder bagder mentioned this issue Mar 14, 2025
Closed
@jay
Copy link
Member

jay commented Mar 15, 2025

Is there a reason this can't be solved by adding Curl_dyn_init calls where they're missing? Do you think of this as a problem of missing Curl_dyn_init calls or a problem of Curl_dyn_free being called indiscriminately?

@bagder
Copy link
Member Author

bagder commented Mar 15, 2025
edited
Loading

I believe most of them are cases where we do the cleanup procedure that includes the calls to Curl_dyn_free independently of what exactly was inited. The fixes for these are then probably to either make sure we do the init (earlier), or we make sure to skip the free if no init was ever done. I presume there could be a little of both.

icing added a commit to icing/curl that referenced this issue Mar 20, 2025
@icing
dynbuf: assert init on free
3b0fb93 
Add a DEBUGASSERT() in Curl_dyn_free() that checks that
Curl_dyn_init() has been performed before.

Fix code places that did it wrong.

refs curl#16725
@icing icing mentioned this issue Mar 20, 2025
Closed
@icing
Copy link
Contributor

icing commented Mar 20, 2025

made #16775 to add the assert and fix the failures.

@icing icing added the tidy-up label Mar 21, 2025
@bagder bagder closed this as completed in 646b2d6 Mar 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icing icing

Labels
tidy-up
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @jay