$ src/curl tftp://example.com --proxy 1
curl: (55) getpeername() failed with errno 107: Transport endpoint is not connected
free(): double free detected in tcache 2
Abandon (core dumped)
$ libtool --mode=execute valgrind --leak-check=full src/curl tftp://example.com --proxy 1
==2134294== Memcheck, a memory error detector
==2134294== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2134294== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2134294== Command: /home/even/curl/src/.libs/curl tftp://example.com --proxy 1
==2134294==
curl: (55) getpeername() failed with errno 107: Noeud final de transport n'est pas connecté
==2134294== Invalid free() / delete / delete[] / realloc()
==2134294== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294== by 0x48D216C: Curl_free_request_state (url.c:2203)
==2134294== by 0x48CE364: Curl_close (url.c:402)
==2134294== by 0x486F526: curl_easy_cleanup (easy.c:742)
==2134294== by 0x11E175: post_per_transfer (in /home/even/curl/src/.libs/curl)
==2134294== by 0x124905: operate (in /home/even/curl/src/.libs/curl)
==2134294== by 0x114142: main (in /home/even/curl/src/.libs/curl)
==2134294== Address 0x508fb70 is 0 bytes inside a block of size 656 free'd
==2134294== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294== by 0x48CF4F0: conn_free (url.c:791)
==2134294== by 0x48CF6BF: Curl_disconnect (url.c:874)
==2134294== by 0x48A2571: multi_runsingle (multi.c:2522)
==2134294== by 0x48A27EC: curl_multi_perform (multi.c:2591)
==2134294== by 0x486F1F0: easy_transfer (easy.c:606)
==2134294== by 0x486F459: easy_perform (easy.c:696)
==2134294== by 0x486F4CB: curl_easy_perform (easy.c:715)
==2134294== by 0x1248E5: operate (in /home/even/curl/src/.libs/curl)
==2134294== by 0x114142: main (in /home/even/curl/src/.libs/curl)
==2134294== Block was alloc'd at
==2134294== at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2134294== by 0x488E7F7: connect_init (http_proxy.c:169)
==2134294== by 0x488FD04: Curl_proxyCONNECT (http_proxy.c:1045)
==2134294== by 0x488E698: Curl_proxy_connect (http_proxy.c:117)
==2134294== by 0x4886CEB: Curl_http_connect (http.c:1492)
==2134294== by 0x48A13BB: multi_runsingle (multi.c:1935)
==2134294== by 0x48A27EC: curl_multi_perform (multi.c:2591)
==2134294== by 0x486F1F0: easy_transfer (easy.c:606)
==2134294== by 0x486F459: easy_perform (easy.c:696)
==2134294== by 0x486F4CB: curl_easy_perform (easy.c:715)
==2134294== by 0x1248E5: operate (in /home/even/curl/src/.libs/curl)
==2134294== by 0x114142: main (in /home/even/curl/src/.libs/curl)
Author: Daniel Stenberg <daniel@haxx.se>
Date: Fri Nov 12 13:34:49 2021 +0100
Curl_connect_done: handle being called twice
Follow-up to f0b7099a10d1a7c
When torture testing 1021, it turns out the Curl_connect_done function
might be called twice and that previously then wrongly cleared the HTTP
pointer in the second invoke.
Closes #7999
lib/http_proxy.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
operating system
Linux even-ThinkPad-P15v-Gen-1 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
I did this
Initally found by oss-fuzz on GDAL (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40963)
with curl master at 3bf54f9
$ src/curl -V
git bisects point to commit b89a4b5
operating system
Linux even-ThinkPad-P15v-Gen-1 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: