Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free bug in curl_multi_remove_handle() #4575

Closed
MaxKellermann opened this issue Nov 8, 2019 · 2 comments
Labels

Comments

@MaxKellermann
Copy link

@MaxKellermann MaxKellermann commented Nov 8, 2019

59041f0 introduces a use-after-free bug in CURL 7.67.0 from inside curl_multi_remove_handle()

See MusicPlayerDaemon/MPD#681 (comment) for an explanation.

bagder added a commit that referenced this issue Nov 10, 2019
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
@bagder

This comment has been minimized.

Copy link
Member

@bagder bagder commented Nov 10, 2019

@MaxKellermann, does #4583 fix the issue for you?

@eworm-de

This comment has been minimized.

Copy link

@eworm-de eworm-de commented Nov 11, 2019

It does. (I am involved in the downstream Arch Linux bug report.)
Thanks a lot!

@bagder bagder closed this in 13182b3 Nov 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.