-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl 7.77.0 regression: segfault in Curl_ssl_getsessionid() #7148
Comments
I suppose Any chance you can convert that into a stand-alone C app that reproduces the problem? |
Right! I've edited the versions above.
I'll give that a try. |
C reproducer: #include <curl/curl.h>
int transfers = 1;
size_t write_callback(char *ptr, size_t size, size_t nmemb, void *userdata)
{
printf("Received %zu", nmemb);
return nmemb;
}
int callback(CURL *parent,
CURL *easy,
size_t num_headers,
struct curl_pushheaders *headers,
void *userp)
{
curl_easy_setopt(easy, CURLOPT_WRITEFUNCTION, write_callback);
transfers++;
return CURL_PUSH_OK;
}
int main()
{
CURLM *mh = curl_multi_init();
curl_multi_setopt(mh, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
curl_multi_setopt(mh, CURLMOPT_PUSHFUNCTION, callback);
CURL *h = curl_easy_init();
curl_easy_setopt(h, CURLOPT_URL, "https://http2.golang.org/serverpush");
curl_easy_setopt(h, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
curl_easy_setopt(h, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(h, CURLOPT_SSL_VERIFYPEER, 0);
curl_multi_add_handle(mh, h);
int running;
do {
curl_multi_perform(mh, &running);
CURLMsg *info;
do {
int msgs_in_queue;
info = curl_multi_info_read(mh, &msgs_in_queue);
if (info && info->msg == CURLMSG_DONE) {
CURL *handle = info->easy_handle;
if (handle) {
transfers--;
curl_multi_remove_handle(mh, handle);
curl_easy_cleanup(handle);
}
}
} while (info);
} while (transfers);
curl_multi_cleanup(mh);
return 0;
} Pretty contrived, but worked with cURL 7.76.1. |
This function might get called for an easy handle for which the session cache hasn't been setup. It now just returns a "miss" in that case. Fixes #7148
Debug builds would warn that these structs were not initialized properly for pushed streams. Ref: #7148
Thanks, this made it really easy to reproduce! |
I did this
I ran the PHP curl extension's test suite with libcurl 7.77.0.
I expected the following
I expected all tests to succed like with libcurl 7.76.1.
curl/libcurl version
curl 7.77.0 (x86_64-pc-win32) libcurl/7.77.0 OpenSSL/1.1.1k zlib/1.2.11 WinIDN libssh2/1.9.0 nghttp2/1.40.0
Release-Date: 2021-05-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets alt-svc libz
operating system
Windows 10
Instead of all tests passing, a single test case fails due to a segfault in
Curl_ssl_getsessionid()
, because&data->state.session == NULL
incurl/lib/vtls/vtls.c
Line 421 in a43e1da
This is most likely caused by the fix for CVE-2021-22901. Maybe it is sufficient to return TRUE if
&data->state.session == NULL
here, but maybe the root cause lies somewhere else.FWIW, the stack backtrace:
The text was updated successfully, but these errors were encountered: