Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-after-free bug in curl_multi_remove_handle() #4575

Closed
MaxKellermann opened this issue Nov 8, 2019 · 2 comments
Closed

Use-after-free bug in curl_multi_remove_handle() #4575

MaxKellermann opened this issue Nov 8, 2019 · 2 comments
Labels
crash HTTP/2

Comments

@MaxKellermann
Copy link

MaxKellermann commented Nov 8, 2019
edited by falconindy

59041f0 introduces a use-after-free bug in CURL 7.67.0 from inside curl_multi_remove_handle()

See MusicPlayerDaemon/MPD#681 (comment) for an explanation.
bagder added a commit that referenced this issue Nov 10, 2019
@bagder
remove_handle: clear expire timers after multi_done()
253c31c 
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
@bagder bagder mentioned this issue Nov 10, 2019
Closed
@bagder
Copy link
Member

bagder commented Nov 10, 2019

@MaxKellermann, does #4583 fix the issue for you?

@eworm-de
Copy link

eworm-de commented Nov 11, 2019

It does. (I am involved in the downstream Arch Linux bug report.)
Thanks a lot!

@bagder bagder closed this as completed in 13182b3 Nov 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Feb 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
crash HTTP/2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

remove_handle: clear expire timers after multi_done() curl/curl
3 participants
@bagder @eworm-de @MaxKellermann