On Thu November 12 2009 01:29:08 Kevin Baughman wrote:
> Hi All,
>
> I spent some time debugging the curl code while Kamil and I were debugging
> this issue and I think I found out what is going on. Someplace in the
> code it looks like a data structure was released twice. So I looked in
> curl_nss_connect and saw that the model structure will be freed twice if
> the handshake fails.
>
> At line 939:
> PRFileDesc *model = NULL;
>
> At line 1201:
> PR_Close(model); /* We don't need this any more */
>
> Then at line 1214 if SSL_ForceHandshakeWithTimeout fails, goto error is
> called and at line 1267:
>
> if(model)
> PR_Close(model);
>
>
> I created a patch that sets model to NULL around line 1201 and that seems
> to fix my crash. See below:
>
> *** curl-7.19.6/lib/nss.c Fri Jul 31 20:15:35 2009
> --- /tmp/nss.c Wed Nov 11 17:52:27 2009
> ***************
> *** 1184,1190 ****
> --- 1184,1192 ----
> connssl->handle = SSL_ImportFD(model, connssl->handle);
> if(!connssl->handle)
> goto error;
> +
> PR_Close(model); /* We don't need this any more */
> + model = NULL;
>
> /* This is the password associated with the cert that we're using */
> if (data->set.str[STRING_KEY_PASSWD]) {
>
> It looks at some point the handshake failed and between the first and the
> second close was called someone else was using the NSS socket stucture and
> the fd element was released.
>
> Patch it attached.
Thanks for contributing the patch! I've just applied it.
Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
