Skip to content

/ curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-after-free bug in curl_multi_remove_handle() #4575

Closed
MaxKellermann opened this issue Nov 8, 2019 · 2 comments
Closed

Use-after-free bug in curl_multi_remove_handle() #4575

MaxKellermann opened this issue Nov 8, 2019 · 2 comments
Labels
HTTP/2 crash

Comments

@MaxKellermann
Copy link

@MaxKellermann MaxKellermann commented Nov 8, 2019
edited by falconindy

59041f0 introduces a use-after-free bug in CURL 7.67.0 from inside curl_multi_remove_handle()

See MusicPlayerDaemon/MPD#681 (comment) for an explanation.
bagder added a commit that referenced this issue Nov 10, 2019
@bagder
remove_handle: clear expire timers after multi_done()
Verified
This commit was signed with the committer’s verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about vigilant mode.
Loading status checks…
253c31c 
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
@bagder bagder mentioned this issue Nov 10, 2019
Closed
@bagder
Copy link
Member

@bagder bagder commented Nov 10, 2019

@MaxKellermann, does #4583 fix the issue for you?
@eworm-de
Copy link

@eworm-de eworm-de commented Nov 11, 2019

It does. (I am involved in the downstream Arch Linux bug report.)
Thanks a lot!
@bagder bagder closed this in 13182b3 Nov 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Feb 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
HTTP/2 crash
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

remove_handle: clear expire timers after multi_done()
3 participants
@bagder @eworm-de @MaxKellermann