Commit 5ca75fd52c36f63fe9b1218e79953411d4435a9d
2016-11-10T08:00:22
curl_stream: check for -1 after CURLINFO_LASTSOCKET We're recently trying to upgrade to the current master of libgit2 in Cargo but we're unfortunately hitting a segfault in one of our tests. This particular test is just a small smoke test that https works (e.g. it's configured in libgit2). It attempts to clone from a URL which simply immediately drops connections after they're accepted (e.g. terminate abnormally). We expect to see a standard error from libgit2 but unfortunately we're seeing a segfault. This segfault is happening inside of the `wait_for` function of `curl_stream.c` at the line `FD_SET(fd, &errfd)` because `fd` is -1. This ends up doing an out-of-bounds array access that faults the program. I tracked back to where this -1 came from to the line here (returned by `CURLINFO_LASTSOCKET`) and added a check to return an error.
diff --git a/src/curl_stream.c b/src/curl_stream.c
index 98de187..3a3f364 100644
--- a/src/curl_stream.c
+++ b/src/curl_stream.c
@@ -121,6 +121,11 @@ static int curls_connect(git_stream *stream)
return seterr_curl(s);
}
+ if (sockextr == -1) {
+ giterr_set(GITERR_NET, "curl socket is no longer valid");
+ return -1;
+ }
+
s->socket = sockextr;
if (s->parent.encrypted && failed_cert)
@@ -198,6 +203,7 @@ static int wait_for(curl_socket_t fd, bool reading)
FD_ZERO(&outfd);
FD_ZERO(&errfd);
+ assert(fd >= 0);
FD_SET(fd, &errfd);
if (reading)
FD_SET(fd, &infd);