[schannel] Crash on SEC_E_ILLEGAL_MESSAGE

[gvanem]

I did this

While playing with some of the new (?) Windows Defender Advanced Threat Protection features, I got a crash in sendf.c. Enabling the most interesting Network Protection feature, and trying the NP test-URL by these steps:

c:\> powershell Set-MpPreference -EnableNetworkProtection Enabled

c:\> set CURL_SSL_BACKEND=schannel

c:\> curl -v https://smartscreentestratings2.net/
...
* schannel: checking server certificate revocation
* schannel: ALPN, offering h2
* schannel: ALPN, offering http/1.1
* schannel: sending initial handshake data: sending 210 bytes...
* schannel: sent initial handshake data: sent 210 bytes
* schannel: SSL/TLS connection with smartscreentestratings2.net port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x8a84b18; line 1627 (connection #0)
* schannel: SSL/TLS connection with smartscreentestratings2.net port 443 (step 2/3)
* schannel: encrypted data got 14
* schannel: encrypted data buffer: offset 14 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert
 is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Marked for [closure]: Failed HTTPS connection
* multi_done
* Closing connection 0
* The cache now contains 0 members

<then the crash, see below>

I expected the following

A graceful SSL/TLS-handshake error message with no crash.

Crash details

Top of call-stack:

libcurl!pre_receive_plain+0x79 [f:\mingw32\src\inet\curl\lib\sendf.c @ 162] 
libcurl!Curl_send_plain(struct connectdata * conn = 0x08451530, int num = 0n0, void * mem = 0x084896d0, unsigned int len = 7, <unnamed-enum-CURLE_OK> * code = 0x007bf344)+0x85 [f:\mingw32\src\inet\curl\lib\sendf.c @ 381] 
libcurl!Curl_write_plain(struct connectdata * conn = <Value unavailable error>, unsigned int sockfd = 0x2c4, void * mem = 0x084896d0, unsigned int len = 7, int * written = 0x007bf368)+0x27 [f:\mingw32\src\inet\curl\lib\sendf.c @ 440] 
libcurl!Curl_schannel_shutdown(struct connectdata * conn = 0x08451530, int sockindex = 0n0)+0x170 [f:\mingw32\src\inet\curl\lib\vtls\schannel.c @ 2016] 

sendf.c, line 161-163 is:

      if (!psnd->buffer) {
        psnd->allocated_size = 2 * conn->data->set.buffer_size;  <<  crash
        psnd->buffer = curl_domalloc(psnd->allocated_size, 162, "sendf.c");

WinDbg shows that conn->data == NULL at the point where pre_receive_plain() is called (inlined).
Not sure this is related to other SChannel issues or if I could provoke this crash in other ways?

curl/libcurl version

curl 7.64.0-DEV (i386-pc-win32) libcurl/7.64.0-DEV (OpenSSL/3.0.0) WinSSL zlib/1.2.8 brotli/1.0.0 c-ares/1.15.0 libssh2/1.8.1_DEV nghttp2/1.
35.0 librtmp/2.3
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug TrackMemory IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz brotli TLS-SRP HTTP2 MultiSSL

operating system

Win-10, 1809, 64-bit. But curl is 32-bit (MSVC).

[gvanem]

Thanks Jay. Works w/o any crash now.