Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak in CURLOPT_XOAUTH2_BEARER #8841

Tachi107 opened this issue May 13, 2022 · 1 comment

Memory leak in CURLOPT_XOAUTH2_BEARER #8841

Tachi107 opened this issue May 13, 2022 · 1 comment


Copy link

I did this

Given the following code:

#include <curl/curl.h>

int main(void) {

  CURL* curl = curl_easy_init();

  curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BEARER);
  curl_easy_setopt(curl, CURLOPT_XOAUTH2_BEARER, "c4e448d652a961fda0ab64f882c8c161d5985f805d45d80c9ddca108f8e2fde3");
  curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
  curl_easy_setopt(curl, CURLOPT_URL, "");

  for (int i = 0; i < 5; i++) {



AddressSanitizer reports a memory leak:

$ cc -g -fsanitize=address main.c $(pkg-config --cflags --libs libcurl) -o asan && ./asan
==41730==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 260 byte(s) in 4 object(s) allocated from:
    #0 0x7f52f54d97a7 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
    #1 0x7f52f54423cd  (/lib/x86_64-linux-gnu/

SUMMARY: AddressSanitizer: 260 byte(s) leaked in 4 allocation(s).

and valgrind does too:

$ cc -g main.c $(pkg-config --cflags --libs libcurl) -o valgrind && valgrind --leak-check=full ./valgrind
==41878== HEAP SUMMARY:
==41878==     in use at exit: 3,710 bytes in 12 blocks
==41878==   total heap usage: 32,937 allocs, 32,925 frees, 3,397,085 bytes allocated
==41878== 260 bytes in 4 blocks are definitely lost in loss record 5 of 8
==41878==    at 0x483F7B5: malloc (in /usr/libexec/valgrind/
==41878==    by 0x499331A: strdup (strdup.c:42)
==41878==    by 0x48CB3CD: ??? (in /usr/lib/x86_64-linux-gnu/
==41878==    by 0x48AB9B7: ??? (in /usr/lib/x86_64-linux-gnu/
==41878==    by 0x48AC81D: curl_multi_perform (in /usr/lib/x86_64-linux-gnu/
==41878==    by 0x4884AE2: curl_easy_perform (in /usr/lib/x86_64-linux-gnu/
==41878==    by 0x1092FB: main (main.c:15)
==41878== LEAK SUMMARY:
==41878==    definitely lost: 260 bytes in 4 blocks
==41878==    indirectly lost: 0 bytes in 0 blocks
==41878==      possibly lost: 0 bytes in 0 blocks
==41878==    still reachable: 3,450 bytes in 8 blocks
==41878==         suppressed: 0 bytes in 0 blocks
==41878== Reachable blocks (those to which a pointer was found) are not shown.
==41878== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==41878== For lists of detected and suppressed errors, rerun with: -s
==41878== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

The size of the leak depends on the value of CURLOPT_XOAUTH2_BEARER; in this example it is 260 because the token is 65 characters long (including '\0') times 4.

I expected the following

Repeatedly performing HTTP requests with the same handle when a bearer token is set with the CURLOPT_XOAUTH2_BEARER option should not leak the token on each request.

curl/libcurl version

curl 7.83.0 (x86_64-pc-linux-gnu) libcurl/7.83.0 OpenSSL/1.1.1o zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.11
Release-Date: 2022-04-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

operating system

Linux debian 5.17.0-1-amd64 #1 SMP PREEMPT Debian 5.17.3-1 (2022-04-18) x86_64 GNU/Linux

@bagder bagder self-assigned this May 13, 2022
Copy link

bagder commented May 13, 2022

I can reproduce with a new test case. PR pending.

bagder added a commit that referenced this issue May 13, 2022
Make use of conn_free() better and avoid duplicate code.

Reported-by: Andrea Pappacoda
Fixes #8841
Tachi107 added a commit to Tachi107/cloudflare-ddns that referenced this issue May 13, 2022
Also make sure that the supplied API token is 40 characters long.

For further information about the leak, see
@bagder bagder closed this as completed in 06d1210 May 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

2 participants