Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer dereference in in Curl_thread_join() #3850

Closed
geeknik opened this issue May 7, 2019 · 2 comments

Comments

Projects
None yet
3 participants
@geeknik
Copy link

commented May 7, 2019

I did this

echo "VVI6MAotOgppbnQ6MApkTzowClVSOjA=" | base64 -d | tee test0000.curl

./curl -q -K test0000.curl https://twitter.com/geeknik

I expected the following

No crash.

But this happened instead

#0 0x6242c1 in Curl_thread_join /root/curl/lib/curl_threads.c:93:28
#1 0x53d6c7 in thread_wait_resolv /root/curl/lib/asyn-thread.c:475:6
#2 0x53d6c7 in Curl_resolver_wait_resolv /root/curl/lib/asyn-thread.c:533
#3 0x51a99b in bindlocal /root/curl/lib/connect.c:362:15
#4 0x51a99b in singleipconnect /root/curl/lib/connect.c:1071
#5 0x51956a in Curl_connecthost /root/curl/lib/connect.c:1211:14
#6 0x5c533c in Curl_setup_conn /root/curl/lib/url.c:4019:14
#7 0x5c5ad8 in Curl_connect /root/curl/lib/url.c:4062:16
#8 0x527b87 in multi_runsingle /root/curl/lib/multi.c:1356:16
#9 0x5257d2 in curl_multi_perform /root/curl/lib/multi.c:2065:14
#10 0x513a9b in easy_transfer /root/curl/lib/easy.c:624:15
#11 0x513a9b in easy_perform /root/curl/lib/easy.c:718
#12 0x513a9b in curl_easy_perform /root/curl/lib/easy.c:737
#13 0x4f72b3 in operate_do /root/curl/src/tool_operate.c:1592:20
#14 0x4eb08c in operate /root/curl/src/tool_operate.c:2095:20
#15 0x4e9ec7 in main /root/curl/src/tool_main.c:326:14
#16 0x7fac899972e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#17 0x423f09 in _start (/root/curl/src/curl+0x423f09)

curl/libcurl version

Git commit 139202b

curl 7.65.0-DEV (x86_64-pc-linux-gnu) libcurl/7.65.0-DEV OpenSSL/1.1.0j zlib/1.2.8
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

operating system

Debian 9.x x64

@jay

This comment has been minimized.

Copy link
Member

commented May 9, 2019

echo "VVI6MAotOgppbnQ6MApkTzowClVSOjA=" | base64 -d | tee test0000.curl

UR:0
-:
int:0
dO:0
UR:0

How'd you come up with that data? I can't reproduce in Windows 7 (native or cygwin) but in Ubuntu:

lt-curl: asyn-thread.c:471: thread_wait_resolv: Assertion `conn && td' failed.
Aborted

I'm still not entirely sure what that config is doing yet. It looks like it's using DoH but I don't know why since that option isn't specified. I can get the same assertion with just this and no url:

int:0
dO:0
UR:0
@bagder

This comment has been minimized.

Copy link
Member

commented May 9, 2019

How'd you come up with that data?

I presume fuzzing was involved.

bagder added a commit that referenced this issue May 9, 2019

doh: disable DOH for when it doesn't work
Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Fixes #3850

@bagder bagder closed this in 12d655d May 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.