aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-10-06 01:11:17 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-10-06 16:48:39 +0200
commit7f1140c8bfc47dd9b7a8010818e97e87a289bfaf (patch)
treea43d23fee735f039c24d43a8be3910cb7c90bead
parent454dae0092d6f367fe486bdfd49f781329bf4500 (diff)
multi_cleanup: call DONE on handles that never got that
... fixes a memory leak with at least IMAP when remove_handle is never called and the transfer is abruptly just abandoned early. Test 1552 added to verify Detected by OSS-fuzz Assisted-by: Max Dymond Closes #1954
-rw-r--r--lib/multi.c39
-rw-r--r--tests/data/Makefile.inc2
-rw-r--r--tests/data/test155252
-rw-r--r--tests/libtest/Makefile.inc5
-rw-r--r--tests/libtest/lib1552.c93
5 files changed, 171 insertions, 20 deletions
diff --git a/lib/multi.c b/lib/multi.c
index 70aa6bcf9..faf42f1fa 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2224,6 +2224,27 @@ CURLMcode curl_multi_cleanup(struct Curl_multi *multi)
multi->type = 0; /* not good anymore */
+ /* Firsrt remove all remaining easy handles */
+ data = multi->easyp;
+ while(data) {
+ nextdata = data->next;
+ if(!data->state.done && data->easy_conn)
+ /* if DONE was never called for this handle */
+ (void)multi_done(&data->easy_conn, CURLE_OK, TRUE);
+ if(data->dns.hostcachetype == HCACHE_MULTI) {
+ /* clear out the usage of the shared DNS cache */
+ Curl_hostcache_clean(data, data->dns.hostcache);
+ data->dns.hostcache = NULL;
+ data->dns.hostcachetype = HCACHE_NONE;
+ }
+
+ /* Clear the pointer to the connection cache */
+ data->state.conn_cache = NULL;
+ data->multi = NULL; /* clear the association */
+
+ data = nextdata;
+ }
+
/* Close all the connections in the connection cache */
close_all_connections(multi);
@@ -2243,24 +2264,6 @@ CURLMcode curl_multi_cleanup(struct Curl_multi *multi)
Curl_llist_destroy(&multi->msglist, NULL);
Curl_llist_destroy(&multi->pending, NULL);
- /* remove all easy handles */
- data = multi->easyp;
- while(data) {
- nextdata = data->next;
- if(data->dns.hostcachetype == HCACHE_MULTI) {
- /* clear out the usage of the shared DNS cache */
- Curl_hostcache_clean(data, data->dns.hostcache);
- data->dns.hostcache = NULL;
- data->dns.hostcachetype = HCACHE_NONE;
- }
-
- /* Clear the pointer to the connection cache */
- data->state.conn_cache = NULL;
- data->multi = NULL; /* clear the association */
-
- data = nextdata;
- }
-
Curl_hash_destroy(&multi->hostcache);
/* Free the blacklists by setting them to NULL */
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 4243c2183..e431d46c1 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -169,7 +169,7 @@ test1520 test1521 \
test1525 test1526 test1527 test1528 test1529 test1530 test1531 test1532 \
test1533 test1534 test1535 test1536 test1537 test1538 \
test1540 \
-test1550 test1551 \
+test1550 test1551 test1552 \
test1600 test1601 test1602 test1603 test1604 test1605 test1606 \
\
test1700 test1701 test1702 \
diff --git a/tests/data/test1552 b/tests/data/test1552
new file mode 100644
index 000000000..c5b1b5728
--- /dev/null
+++ b/tests/data/test1552
@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+Clear Text
+FETCH
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+ yours sincerely
+</data>
+<datacheck>
+</datacheck>
+<servercmd>
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+imap
+</server>
+ <name>
+IMAP multi transfer error without curl_multi_remove_handle
+ </name>
+# tool is what to use instead of 'curl'
+<tool>
+lib1552
+</tool>
+ <command>
+'imap://%HOSTIP:%IMAPPORT/1552/;UID=1'
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
index 065899276..59e3b281d 100644
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@@ -27,7 +27,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
lib1525 lib1526 lib1527 lib1528 lib1529 lib1530 lib1531 lib1532 lib1533 \
lib1534 lib1535 lib1536 lib1537 lib1538 \
lib1540 \
- lib1550 lib1551 \
+ lib1550 lib1551 lib1552 \
lib1900 \
lib2033
@@ -454,6 +454,9 @@ lib1550_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1517
lib1551_SOURCES = lib1551.c $(SUPPORTFILES)
lib1551_CPPFLAGS = $(AM_CPPFLAGS)
+lib1552_SOURCES = lib1552.c $(SUPPORTFILES) $(TESTUTIL)
+lib1552_CPPFLAGS = $(AM_CPPFLAGS)
+
lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
lib1900_LDADD = $(TESTUTIL_LIBS)
lib1900_CPPFLAGS = $(AM_CPPFLAGS)
diff --git a/tests/libtest/lib1552.c b/tests/libtest/lib1552.c
new file mode 100644
index 000000000..02c4ea860
--- /dev/null
+++ b/tests/libtest/lib1552.c
@@ -0,0 +1,93 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "test.h"
+
+#include "testutil.h"
+#include "warnless.h"
+#include "memdebug.h"
+
+#define TEST_HANG_TIMEOUT 60 * 1000
+
+int test(char *URL)
+{
+ CURL *curls = NULL;
+ CURLM *multi = NULL;
+ int still_running;
+ int i = 0;
+ int res = 0;
+ CURLMsg *msg;
+ int counter = 3;
+
+ start_test_timing();
+
+ global_init(CURL_GLOBAL_ALL);
+
+ multi_init(multi);
+
+ easy_init(curls);
+
+ easy_setopt(curls, CURLOPT_URL, URL);
+ easy_setopt(curls, CURLOPT_HEADER, 1L);
+ easy_setopt(curls, CURLOPT_VERBOSE, 1L);
+ easy_setopt(curls, CURLOPT_USERPWD, "u:s");
+
+ multi_add_handle(multi, curls);
+
+ multi_perform(multi, &still_running);
+
+ abort_on_test_timeout();
+
+ while(still_running && counter--) {
+ int num;
+ res = curl_multi_wait(multi, NULL, 0, TEST_HANG_TIMEOUT, &num);
+ if(res != CURLM_OK) {
+ printf("curl_multi_wait() returned %d\n", res);
+ res = TEST_ERR_MAJOR_BAD;
+ goto test_cleanup;
+ }
+
+ abort_on_test_timeout();
+
+ multi_perform(multi, &still_running);
+
+ abort_on_test_timeout();
+ }
+
+ msg = curl_multi_info_read(multi, &still_running);
+ if(msg)
+ /* this should now contain a result code from the easy handle,
+ get it */
+ i = msg->data.result;
+
+test_cleanup:
+
+ /* undocumented cleanup sequence - type UA */
+
+ curl_multi_cleanup(multi);
+ curl_easy_cleanup(curls);
+ curl_global_cleanup();
+
+ if(res)
+ i = res;
+
+ return i; /* return the final return code */
+}