curl: Fix error path in curl_open()

Message ID	20230206132949.92917-1-hreitz@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Hanna Czenczek <hreitz@redhat.com> To: qemu-block@nongnu.org Cc: qemu-devel@nongnu.org, Hanna Czenczek <hreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>, =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com> Subject: [PATCH] curl: Fix error path in curl_open() Date: Mon, 6 Feb 2023 14:29:49 +0100 Message-Id: <20230206132949.92917-1-hreitz@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=hreitz@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Series	curl: Fix error path in curl_open() \| expand curl: Fix error path in curl_open()

Message ID

20230206132949.92917-1-hreitz@redhat.com

State

New

Headers

From: Hanna Czenczek <hreitz@redhat.com>
To: qemu-block@nongnu.org
Cc: qemu-devel@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>,
 =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>
Subject: [PATCH] curl: Fix error path in curl_open()
Date: Mon,  6 Feb 2023 14:29:49 +0100
Message-Id: <20230206132949.92917-1-hreitz@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=170.10.133.124; envelope-from=hreitz@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Series

curl: Fix error path in curl_open() | expand

Commit Message

Hanna Czenczek Feb. 6, 2023, 1:29 p.m. UTC

g_hash_table_destroy() and g_hash_table_foreach_remove() (called by
curl_drop_all_sockets()) both require the table to be non-NULL, or will
print assertion failures (just print, no abort).

There are several paths in curl_open() that can lead to the out_noclean
label without s->sockets being allocated, so clean it only if it has
been allocated.

Example reproducer:
$ qemu-img info -f http ''
qemu-img: GLib: g_hash_table_foreach_remove: assertion 'hash_table != NULL' failed
qemu-img: GLib: g_hash_table_destroy: assertion 'hash_table != NULL' failed
qemu-img: Could not open '': http curl driver cannot handle the URL '' (does not start with 'http://')

Closes: https://gitlab.com/qemu-project/qemu/-/issues/1475
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
---
 block/curl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Daniel P. Berrangé Feb. 6, 2023, 1:35 p.m. UTC | #1

On Mon, Feb 06, 2023 at 02:29:49PM +0100, Hanna Czenczek wrote:
> g_hash_table_destroy() and g_hash_table_foreach_remove() (called by
> curl_drop_all_sockets()) both require the table to be non-NULL, or will
> print assertion failures (just print, no abort).
> 
> There are several paths in curl_open() that can lead to the out_noclean
> label without s->sockets being allocated, so clean it only if it has
> been allocated.
> 
> Example reproducer:
> $ qemu-img info -f http ''
> qemu-img: GLib: g_hash_table_foreach_remove: assertion 'hash_table != NULL' failed
> qemu-img: GLib: g_hash_table_destroy: assertion 'hash_table != NULL' failed
> qemu-img: Could not open '': http curl driver cannot handle the URL '' (does not start with 'http://')
> 
> Closes: https://gitlab.com/qemu-project/qemu/-/issues/1475
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
> ---
>  block/curl.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel

Philippe Mathieu-Daudé Feb. 6, 2023, 2:36 p.m. UTC | #2

On 6/2/23 14:29, Hanna Czenczek wrote:
> g_hash_table_destroy() and g_hash_table_foreach_remove() (called by
> curl_drop_all_sockets()) both require the table to be non-NULL, or will
> print assertion failures (just print, no abort).
> 
> There are several paths in curl_open() that can lead to the out_noclean
> label without s->sockets being allocated, so clean it only if it has
> been allocated.
> 
> Example reproducer:
> $ qemu-img info -f http ''
> qemu-img: GLib: g_hash_table_foreach_remove: assertion 'hash_table != NULL' failed
> qemu-img: GLib: g_hash_table_destroy: assertion 'hash_table != NULL' failed
> qemu-img: Could not open '': http curl driver cannot handle the URL '' (does not start with 'http://')
> 
> Closes: https://gitlab.com/qemu-project/qemu/-/issues/1475
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
> ---
>   block/curl.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Kevin Wolf Feb. 13, 2023, 11:03 a.m. UTC | #3

Am 06.02.2023 um 14:29 hat Hanna Czenczek geschrieben:
> g_hash_table_destroy() and g_hash_table_foreach_remove() (called by
> curl_drop_all_sockets()) both require the table to be non-NULL, or will
> print assertion failures (just print, no abort).
> 
> There are several paths in curl_open() that can lead to the out_noclean
> label without s->sockets being allocated, so clean it only if it has
> been allocated.
> 
> Example reproducer:
> $ qemu-img info -f http ''
> qemu-img: GLib: g_hash_table_foreach_remove: assertion 'hash_table != NULL' failed
> qemu-img: GLib: g_hash_table_destroy: assertion 'hash_table != NULL' failed
> qemu-img: Could not open '': http curl driver cannot handle the URL '' (does not start with 'http://')
> 
> Closes: https://gitlab.com/qemu-project/qemu/-/issues/1475
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>

Thanks, applied to the block branch.

Kevin

diff --git a/block/curl.c b/block/curl.c
index cbada22e9e..ba9977af5a 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -850,8 +850,10 @@  out_noclean:
     g_free(s->username);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
-    curl_drop_all_sockets(s->sockets);
-    g_hash_table_destroy(s->sockets);
+    if (s->sockets) {
+        curl_drop_all_sockets(s->sockets);
+        g_hash_table_destroy(s->sockets);
+    }
     qemu_opts_del(opts);
     return -EINVAL;
 }

curl: Fix error path in curl_open()

Commit Message

Comments

Patch