libcurl: curl_easy_cleanup() crash · Issue #12986 · curl/curl

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I did this

Following code are skipping any checks

const char *url_format = "https://xxx"; // something for format
char *input; // user input
char *input_escape = curl_easy_escape(curl, input, 0);
char *formatted_url = ""; // formatted URL with input
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, formatted_url);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &data_response);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &data_response_write);
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, header_list);
CURLcode result = curl_easy_perform(curl);
// after preocessing
curl_easy_cleanup(curl); // << ===== this causes crash
curl_slist_free_all(header_list);
curl_free(search_input_escape);

Running the debugger produces this backtrace ( bt in gdb ):

Program terminated with signal SIGSEGV, Segmentation fault.
#0  malloc_consolidate (av=av@entry=0x7fbf33e1ac80 <main_arena>) at ./malloc/malloc.c:4753
4753    ./malloc/malloc.c: No such file or directory.
(gdb) bt
#0  malloc_consolidate (av=av@entry=0x7fbf33e1ac80 <main_arena>) at ./malloc/malloc.c:4753
#1  0x00007fbf33ca3bdb in _int_malloc (av=av@entry=0x7fbf33e1ac80 <main_arena>, bytes=bytes@entry=16712) at ./malloc/malloc.c:3965
#2  0x00007fbf33ca5139 in __GI___libc_malloc (bytes=16712) at ./malloc/malloc.c:3329
#3  0x00007fbf33ba905d in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#4  0x00007fbf33bae818 in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#5  0x00007fbf33b883fc in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#6  0x00007fbf33b8ecb7 in SSL_read () from /lib/x86_64-linux-gnu/libssl.so.3
#7  0x00007fbf3400e34f in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#8  0x00007fbf33ffbd86 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#9  0x00007fbf33ff1e8a in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#10 0x00007fbf33fa8c96 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#11 0x00007fbf33fd6461 in curl_multi_cleanup () from /lib/x86_64-linux-gnu/libcurl.so.4
#12 0x00007fbf340155f0 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#13 0x00007fbf33fb181c in curl_easy_cleanup () from /lib/x86_64-linux-gnu/libcurl.so.4
#14 0x0000559e537f9ea4 in main (argc=1, argv=0x7ffc16176f78) at main.c:162
I expected the following
It does not crash.
curl/libcurl version
Running curl --version:
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.
9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
Calling curl_version() API:
libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/
zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Running apt list --installed | grep curl
curl/jammy-updates,jammy-security,now 7.81.0-1ubuntu1.15 amd64 [installed]
libcurl3-gnutls/jammy-updates,jammy-security,now 7.81.0-1ubuntu1.15 amd64 [installed,automatic]
libcurl4-doc/jammy-updates,jammy-updates,jammy-security,jammy-security,now 7.81.0-1ubuntu1.15 all [installed]
libcurl4-openssl-dev/jammy-updates,jammy-security,now 7.81.0-1ubuntu1.15 amd64 [installed]
libcurl4/jammy-updates,jammy-security,now 7.81.0-1ubuntu1.15 amd64 [installed]
operating system
Ubuntu 22.04.4 LTS
           curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.
 9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
 Release-Date: 2022-01-05
This is an old version, and if it's from Ubuntu it's been highly patched. If
you can reproduce this with a recent, pristine libcurl that that would be
interesting.
This is an old version, and if it's from Ubuntu it's been highly patched.
The curl download page on "Linux - Ubuntu" on my version (jammy) is on version 7.8.1 which is the version that is installed on my computer, and I don't think there will not have a newer version unless I update to the newest Ubuntu (noble). Is it recommended that I reinstall the curl to the newest version (8.6.0) and give it a try?
          First, I think you mean 7.81.0 since 7.8.1 is 22.5 years old.
Then:your Ubuntu package manager probably does not offer any newer version. You need to ask/check with your Ubuntu repositories to figure that out.
We have shipped twenty releases since 7.81.0...
          Yes. I mean that version, 7.81.0.
Just tried to install the (almost) newer .deb version of curl (8.5.0-2ubuntu2) and it seems like dpkg doesn't like it.
Mmm, I think I need to build from the source, then.
          Hi, I just came back here to tell that I have rebuilt curl to the latest version(8.6.0) and the error seems to be persist for me.

But the backtrace is clearer:
Thread 1 "theprogram" received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=av@entry=0x7ffff7e1ac80 <main_arena>) at ./malloc/malloc.c:4753
4753    ./malloc/malloc.c: No such file or directory.
(gdb) bt
#0  malloc_consolidate (av=av@entry=0x7ffff7e1ac80 <main_arena>) at ./malloc/malloc.c:4753
#1  0x00007ffff7ca3bdb in _int_malloc (av=av@entry=0x7ffff7e1ac80 <main_arena>, bytes=bytes@entry=16712) at ./malloc/malloc.c:3965
#2  0x00007ffff7ca5139 in __GI___libc_malloc (bytes=16712) at ./malloc/malloc.c:3329
#3  0x00007ffff7e8005d in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#4  0x00007ffff7e85818 in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#5  0x00007ffff7e5f3fc in ?? () from /lib/x86_64-linux-gnu/libssl.so.3
#6  0x00007ffff7e65cb7 in SSL_read () from /lib/x86_64-linux-gnu/libssl.so.3
#7  0x00007ffff7f74255 in ossl_close () from /curl8/lib/libcurl.so.4
#8  0x00007ffff7f7b59d in ssl_cf_close () from /curl8/lib/libcurl.so.4
#9  0x00007ffff7f1a4ae in cf_setup_close () from /curl8/lib/libcurl.so.4
#10 0x00007ffff7f14bd2 in cf_hc_close () from /curl8/lib/libcurl.so.4
#11 0x00007ffff7f690f2 in Curl_disconnect () from /curl8/lib/libcurl.so.4
#12 0x00007ffff7f1a1d6 in Curl_conncache_close_all_connections () from /curl8/lib/libcurl.so.4
#13 0x00007ffff7f4a390 in curl_multi_cleanup () from /curl8/lib/libcurl.so.4
#14 0x00007ffff7f69314 in Curl_close () from /curl8/lib/libcurl.so.4
#15 0x00007ffff7f256e7 in curl_easy_cleanup () from /curl8/lib/libcurl.so.4
#16 0x0000555555558f34 in main (argc=1, argv=0x7fffffffd798) at main.c:162
The issue mentioned as duplicate doesn't resemble my case. Since I do not use any curl_url_* method and I can guarantee that formatted_url is neither an empty string nor NULL.
          After commenting some lines to pinpoint what function causes the problem, I just found that it was all my fault. I have a function from other library — that the returned results must not be freed, but I'm doing it because I mistook reading the documentation.
My bad.