crash seen in multi_socket

Sat, 11 May 2019 10:03:28 -0700 

Hello,

I'm using libcurl - 7.64.0 with nghttp2 for http2 call flow. For http/1.1
this crash is not seen.

I see following crashes:
#1
0 libBaseFramework.so!multi_socket + 0x129
1 libBaseFramework.so!curl_multi_socket_action + 0x25
2 libBaseFramework.so!HttpClientManager::SocketEventTriggered(int, unsigned
int) [httpClientManager.cc : 348 + 0x5]

And
#2
 0  libc-2.27.so!__GI__IO_fwrite + 0x1e
 1  libBaseFramework.so!Curl_debug + 0x8d
 2  libBaseFramework.so!Curl_infof + 0x12c
 3  libBaseFramework.so!http2_conncheck + 0xc2
 4  libBaseFramework.so!extract_if_dead + 0x3b
 5  libBaseFramework.so!Curl_connect + 0x216b
 6  libBaseFramework.so!multi_runsingle + 0x577
 7  libBaseFramework.so!multi_socket + 0x27d
 8  libBaseFramework.so!curl_multi_socket_action + 0x25

Scenario:
1. Initiate multiple client request on http2 with prior knowledge(from
application using library) e.g. 4 streams on same connection using multi -
async interface.
2. http2 server responds to only one and dies off.

On initial analysis:
for #1 case:

Crash point:
   In multi_socket:
     /* the socket can be shared by many transfers, iterate */
      for(e = list->head; e; e = e->next) {
        data = (struct Curl_easy *)e->ptr;
           if(data->magic != CURLEASY_MAGIC_NUMBER)

    accessing data results in trap.

Tried with fix based on understanding:
1. multi_socket() -> does multi_runsingle() where disconnect is detected
and tries to reconnect.
2. singlesocket() does sh_delentr().
3. Curl_llist_remove() does:

  e->ptr  = NULL;

  e->prev = NULL;

  e->next = NULL;
4.  During the next iteration, as prev is set to NULL, it finds data NULL

Please correct if my analysis is wrong.
I tried with following fix:
      /* the socket can be shared by many transfers, iterate */
      for(e = list->head; e; e = e->next) {
        data = (struct Curl_easy *)e->ptr;
        // crash fix - temp
        if (!data)
          continue;
by with #1 was fixed as per scenario. #2 trap was using this patch with a
minimal load run, updated the patch to 'return result' instead of continue.

While this would just be defensive fix, the root cause fix could be
elsewhere also, request to please check / comment.

Thanks

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to