Skip to content

heap-buffer-overflow when using curl_multi_wait #7379

Closed
@sylgal

Description

@sylgal

I did this

Using curl_multi_wait (400 connections), most of them cannot be established

I got the following crash:

==65100==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f0000ad2b0 at pc 0x0000004649d7 bp 0x00004e072680 sp 0x00004e071e28
READ of size 4 at 0x61f0000ad2b0 thread T11
    #0 0x4649d6 in poll (/tmp/a+0x4649d6)
    #1 0x40bb9292 in Curl_poll /usr/ports/ftp/curl/work/curl-7.77.0/lib/select.c:374:7
    #2 0x40baca06 in multi_wait /usr/ports/ftp/curl/work/curl-7.77.0/lib/multi.c:1269:14
    #3 0x40bac4da in curl_multi_wait /usr/ports/ftp/curl/work/curl-7.77.0/lib/multi.c:1398:10

0x61f0000ad2b0 is located 0 bytes to the right of 3120-byte region [0x61f0000ac680,0x61f0000ad2b0)
allocated by thread T11 here:
    #0 0x49147d in malloc (/tmp/a+0x49147d)
    #1 0x40bac73f in multi_wait /usr/ports/ftp/curl/work/curl-7.77.0/lib/multi.c:1158:12
    #2 0x40bac4da in curl_multi_wait /usr/ports/ftp/curl/work/curl-7.77.0/lib/multi.c:1398:10

I expected the following

No crash

curl/libcurl version

curl 7.77.0 (amd64-portbld-freebsd13.0) libcurl/7.77.0 OpenSSL/1.1.1k zlib/1.2.11 libssh2/1.9.0 nghttp2/1.43.0

operating system

FreeBSD fb13-x64-sds73 13.0-STABLE FreeBSD 13.0-STABLE #239 stable/13-n245926-68d6663afba-dirty: Thu Jul 8 01:28:22 UTC 2021 root@fb13-x64-test:/usr/obj/usr/src/amd64.amd64/sys/SOLIDSERVER amd64

No crash after applying the following patch:

--- lib/multi.c.orig    2021-07-02 09:50:52.535241000 +0000
+++ lib/multi.c 2021-07-02 09:53:18.924601000 +0000
@@ -1176,7 +1176,7 @@
 #ifdef USE_WINSOCK
         long mask = 0;
 #endif
-        if(bitmap & GETSOCK_READSOCK(i)) {
+        if((bitmap & GETSOCK_READSOCK(i)) && VALID_SOCK((sockbunch[i]))) {
           s = sockbunch[i];
 #ifdef USE_WINSOCK
           mask |= FD_READ|FD_ACCEPT|FD_CLOSE;
@@ -1185,7 +1185,7 @@
           ufds[nfds].events = POLLIN;
           ++nfds;
         }
-        if(bitmap & GETSOCK_WRITESOCK(i)) {
+        if((bitmap & GETSOCK_WRITESOCK(i)) && VALID_SOCK((sockbunch[i]))) {
           s = sockbunch[i];
 #ifdef USE_WINSOCK
           mask |= FD_WRITE|FD_CONNECT|FD_CLOSE;

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions