Double-free with 'curl tftp://example.com --proxy 1'

[rouault]

I did this

Initally found by oss-fuzz on GDAL (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40963)

with curl master at 3bf54f9

$ src/curl tftp://example.com --proxy 1
curl: (55) getpeername() failed with errno 107: Transport endpoint is not connected
free(): double free detected in tcache 2
Abandon (core dumped)

$ libtool --mode=execute valgrind --leak-check=full src/curl tftp://example.com --proxy 1
==2134294== Memcheck, a memory error detector
==2134294== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2134294== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2134294== Command: /home/even/curl/src/.libs/curl tftp://example.com --proxy 1
==2134294== 
curl: (55) getpeername() failed with errno 107: Noeud final de transport n'est pas connecté
==2134294== Invalid free() / delete / delete[] / realloc()
==2134294==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294==    by 0x48D216C: Curl_free_request_state (url.c:2203)
==2134294==    by 0x48CE364: Curl_close (url.c:402)
==2134294==    by 0x486F526: curl_easy_cleanup (easy.c:742)
==2134294==    by 0x11E175: post_per_transfer (in /home/even/curl/src/.libs/curl)
==2134294==    by 0x124905: operate (in /home/even/curl/src/.libs/curl)
==2134294==    by 0x114142: main (in /home/even/curl/src/.libs/curl)
==2134294==  Address 0x508fb70 is 0 bytes inside a block of size 656 free'd
==2134294==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294==    by 0x48CF4F0: conn_free (url.c:791)
==2134294==    by 0x48CF6BF: Curl_disconnect (url.c:874)
==2134294==    by 0x48A2571: multi_runsingle (multi.c:2522)
==2134294==    by 0x48A27EC: curl_multi_perform (multi.c:2591)
==2134294==    by 0x486F1F0: easy_transfer (easy.c:606)
==2134294==    by 0x486F459: easy_perform (easy.c:696)
==2134294==    by 0x486F4CB: curl_easy_perform (easy.c:715)
==2134294==    by 0x1248E5: operate (in /home/even/curl/src/.libs/curl)
==2134294==    by 0x114142: main (in /home/even/curl/src/.libs/curl)
==2134294==  Block was alloc'd at
==2134294==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294==    by 0x488E7F7: connect_init (http_proxy.c:169)
==2134294==    by 0x488FD04: Curl_proxyCONNECT (http_proxy.c:1045)
==2134294==    by 0x488E698: Curl_proxy_connect (http_proxy.c:117)
==2134294==    by 0x4886CEB: Curl_http_connect (http.c:1492)
==2134294==    by 0x48A13BB: multi_runsingle (multi.c:1935)
==2134294==    by 0x48A27EC: curl_multi_perform (multi.c:2591)
==2134294==    by 0x486F1F0: easy_transfer (easy.c:606)
==2134294==    by 0x486F459: easy_perform (easy.c:696)
==2134294==    by 0x486F4CB: curl_easy_perform (easy.c:715)
==2134294==    by 0x1248E5: operate (in /home/even/curl/src/.libs/curl)
==2134294==    by 0x114142: main (in /home/even/curl/src/.libs/curl)

$ src/curl -V

curl 7.81.0-DEV (x86_64-pc-linux-gnu) libcurl/7.81.0-DEV OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 zstd/1.4.4
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli HSTS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets zstd

git bisects point to commit b89a4b5

Author: Daniel Stenberg <daniel@haxx.se>
Date:   Fri Nov 12 13:34:49 2021 +0100

    Curl_connect_done: handle being called twice
    
    Follow-up to f0b7099a10d1a7c
    
    When torture testing 1021, it turns out the Curl_connect_done function
    might be called twice and that previously then wrongly cleared the HTTP
    pointer in the second invoke.
    
    Closes #7999

 lib/http_proxy.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

operating system

Linux even-ThinkPad-P15v-Gen-1 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[rouault]

thanks!