Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free bug in curl_multi_remove_handle() #4575

MaxKellermann opened this issue Nov 8, 2019 · 2 comments

Use-after-free bug in curl_multi_remove_handle() #4575

MaxKellermann opened this issue Nov 8, 2019 · 2 comments


Copy link

MaxKellermann commented Nov 8, 2019

59041f0 introduces a use-after-free bug in CURL 7.67.0 from inside curl_multi_remove_handle()

See MusicPlayerDaemon/MPD#681 (comment) for an explanation.

bagder added a commit that referenced this issue Nov 10, 2019
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
Copy link

bagder commented Nov 10, 2019

@MaxKellermann, does #4583 fix the issue for you?

Copy link

It does. (I am involved in the downstream Arch Linux bug report.)
Thanks a lot!

@bagder bagder closed this as completed in 13182b3 Nov 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Feb 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Successfully merging a pull request may close this issue.

3 participants