From 5ca75fd52c36f63fe9b1218e79953411d4435a9d Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Thu, 10 Nov 2016 08:00:22 -0800 Subject: [PATCH] curl_stream: check for -1 after CURLINFO_LASTSOCKET We're recently trying to upgrade to the current master of libgit2 in Cargo but we're unfortunately hitting a segfault in one of our tests. This particular test is just a small smoke test that https works (e.g. it's configured in libgit2). It attempts to clone from a URL which simply immediately drops connections after they're accepted (e.g. terminate abnormally). We expect to see a standard error from libgit2 but unfortunately we're seeing a segfault. This segfault is happening inside of the `wait_for` function of `curl_stream.c` at the line `FD_SET(fd, &errfd)` because `fd` is -1. This ends up doing an out-of-bounds array access that faults the program. I tracked back to where this -1 came from to the line here (returned by `CURLINFO_LASTSOCKET`) and added a check to return an error. --- src/curl_stream.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/curl_stream.c b/src/curl_stream.c index 98de187dd..3a3f364b2 100644 --- a/src/curl_stream.c +++ b/src/curl_stream.c @@ -121,6 +121,11 @@ static int curls_connect(git_stream *stream) return seterr_curl(s); } + if (sockextr == -1) { + giterr_set(GITERR_NET, "curl socket is no longer valid"); + return -1; + } + s->socket = sockextr; if (s->parent.encrypted && failed_cert) @@ -198,6 +203,7 @@ static int wait_for(curl_socket_t fd, bool reading) FD_ZERO(&outfd); FD_ZERO(&errfd); + assert(fd >= 0); FD_SET(fd, &errfd); if (reading) FD_SET(fd, &infd);