From a268ad5d7e84189d8dfec3705d84a88ae064f7fc Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Tue, 17 Mar 2020 18:59:07 -0400 Subject: multi: Improve parameter check for curl_multi_remove_handle - If an easy handle is owned by a multi different from the one specified then return CURLM_BAD_EASY_HANDLE. Prior to this change I assume user error could cause corruption. Closes https://github.com/curl/curl/pull/5116 --- docs/libcurl/libcurl-errors.3 | 4 ++-- lib/multi.c | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3 index eff6544b6..3ea394e69 100644 --- a/docs/libcurl/libcurl-errors.3 +++ b/docs/libcurl/libcurl-errors.3 @@ -283,8 +283,8 @@ Things are fine. The passed-in handle is not a valid CURLM handle. .IP "CURLM_BAD_EASY_HANDLE (2)" An easy handle was not good/valid. It could mean that it isn't an easy handle -at all, or possibly that the handle already is in used by this or another -multi handle. +at all, or possibly that the handle already is in use by this or another multi +handle. .IP "CURLM_OUT_OF_MEMORY (3)" You are doomed. .IP "CURLM_INTERNAL_ERROR (4)" diff --git a/lib/multi.c b/lib/multi.c index e10e75293..d4f031873 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -700,6 +700,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, if(!data->multi) return CURLM_OK; /* it is already removed so let's say it is fine! */ + /* Prevent users from trying to remove an easy handle from the wrong multi */ + if(data->multi != multi) + return CURLM_BAD_EASY_HANDLE; + if(multi->in_callback) return CURLM_RECURSIVE_API_CALL; -- cgit v1.2.3