[asterisk-bugs] [JIRA] (ASTERISK-29085) func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT

Thu Sep 17 13:05:43 CDT 2020

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252074#comment-252074 ] 

Péter Juhász commented on ASTERISK-29085:
-----------------------------------------

I will try (tomorrow morning CEST)!

I expect that it will resolve the crash, but it also changes the behavior of the option from the intended and documented way, which states that headers persist and subsequent calls to CURLOPT(httpheader) add to the list (as opposed to replacing it).

(I do think that this interface is suboptimal and that it should be replaced with something more flexible and more in line with the rest of the function.)

> func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT
> ------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29085
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29085
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Functions/func_curl
>    Affects Versions: 16.8.0
>         Environment: Fedora 32 Linux x86_64
>            Reporter: Péter Juhász
>            Assignee: Péter Juhász
>            Severity: Minor
>              Labels: patch
>         Attachments: 0001-func_curl-Clear-HTTP-headers-form-shared-cURL-instan.patch, gdb.txt
>
>
> The capability to set HTTP headers was recently added to Asterisk (in issue ASTERISK-28613), but it turns out that this functionality is unsafe in its current implementation, because it is possible to induce a segmentation fault with some combinations of CURLOPT calls.
> The steps to reproduce:
> - Set CURLOPT(httpheader)=Content-Type: application/json
> - use CURL to send POST JSON data to some HTTPS service
> - Set some other CURLOPT that is not httpheader (e.g. userpwd, httptimeout)
> - use CURL again
> With such a dialplan Asterisk crashes consistently.
> We have a coredump, but it contains potentially sensitive data, so I don't want to upload it to the public tracker.
> Analyzing the coredump, it appears that curl->set.headers in acf_curl_helper contains garbage, or more precisel, the data and next pointers in that structure became stale since the first call to CURL. 

--
This message was sent by Atlassian JIRA
(v6.2#6252)