From 6fdbb011948cc9fd2cadff04b230427cf02dbd7d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 23 Feb 2006 12:20:48 +0000 Subject: [PATCH] Lots of work and analysis by "xbx___" in bug #1431750 (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two different but related bugs: 1) Removing an easy handle from a multi handle before the transfer is done could leave a connection in the connection cache for that handle that is in a state that isn't suitable for re-use. A subsequent re-use could then read from a NULL pointer and segfault. 2) When an easy handle was removed from the multi handle, there could be an outstanding c-ares DNS name resolve request. When the response arrived, it caused havoc since the connection struct it "belonged" to could've been freed already. Now Curl_done() is called when an easy handle is removed from a multi handle pre-maturely (that is, before the transfer was complteted). Curl_done() also makes sure to cancel all (if any) outstanding c-ares requests. --- CHANGES | 19 +++++++++++++++++++ RELEASE-NOTES | 2 ++ lib/hostip.h | 3 ++- lib/multi.c | 6 ++++-- lib/url.c | 6 +++++- 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 742d01f9b..0b2833950 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,25 @@ Changelog +Daniel (22 February 2006) +- Lots of work and analysis by "xbx___" in bug #1431750 + (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two + different but related bugs: + + 1) Removing an easy handle from a multi handle before the transfer is done + could leave a connection in the connection cache for that handle that is + in a state that isn't suitable for re-use. A subsequent re-use could then + read from a NULL pointer and segfault. + + 2) When an easy handle was removed from the multi handle, there could be an + outstanding c-ares DNS name resolve request. When the response arrived, + it caused havoc since the connection struct it "belonged" to could've + been freed already. + + Now Curl_done() is called when an easy handle is removed from a multi handle + pre-maturely (that is, before the transfer was complteted). Curl_done() also + makes sure to cancel all (if any) outstanding c-ares requests. + Daniel (21 February 2006) - Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy type to the already provided type CURLPROXY_SOCKS4. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 943b6b5ed..aeb78c4db 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -22,6 +22,8 @@ This release includes the following changes: This release includes the following bugfixes: + o two bugs concerning using curl_multi_remove_handle() before the transfer + was complete o multi-pass authentication and compressed content o minor format string mistake in the GSS/Negotiate code o cached DNS entries could remain in the cache too long diff --git a/lib/hostip.h b/lib/hostip.h index 3baf8284b..62c6721e1 100644 --- a/lib/hostip.h +++ b/lib/hostip.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -82,6 +82,7 @@ #define CURL_ASYNC_SUCCESS ARES_SUCCESS #else #define CURL_ASYNC_SUCCESS CURLE_OK +#define ares_cancel(x) #endif /* diff --git a/lib/multi.c b/lib/multi.c index a7d1988d6..6213fede4 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -92,10 +92,10 @@ struct Curl_one_easy { int msg_num; /* number of messages left in 'msg' to return */ }; - #define CURL_MULTI_HANDLE 0x000bab1e -#define GOOD_MULTI_HANDLE(x) ((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE)) +#define GOOD_MULTI_HANDLE(x) \ + ((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE)) #define GOOD_EASY_HANDLE(x) (x) /* This is the struct known as CURLM on the outside */ @@ -245,6 +245,8 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle, Curl_easy_addmulti(easy->easy_handle, NULL); /* clear the association to this multi handle */ + Curl_done(&easy->easy_conn, easy->result); + /* make the previous node point to our next */ if(easy->prev) easy->prev->next = easy->next; diff --git a/lib/url.c b/lib/url.c index 0c0933ca8..60172b395 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3654,7 +3654,7 @@ static CURLcode CreateConnection(struct SessionHandle *data, /* Continue connectdata initialization here. * * Inherit the proper values from the urldata struct AFTER we have arranged - * the persistent conncetion stuff */ + * the persistent connection stuff */ conn->fread = data->set.fread; conn->fread_in = data->set.in; @@ -3999,6 +3999,10 @@ CURLcode Curl_done(struct connectdata **connp, Curl_pgrsDone(conn); /* done with the operation */ + /* for ares-using, make sure all possible outstanding requests are properly + cancelled before we proceed */ + ares_cancel(data->state.areschannel); + /* if data->set.reuse_forbid is TRUE, it means the libcurl client has forced us to close this no matter what we think.