{"id":"CURL-CVE-2016-5421","summary":"use of connection struct after free","details":"libcurl is vulnerable to a use after free flaw.\n\nlibcurl works with easy handles using the type 'CURL *' that are objects the\napplication creates using `curl_easy_init()`. They are the handles that are all\neach associated with a single transfer at a time. libcurl also has an internal\nstruct that represents and holds most state that is related to a single\nconnection. An easy handle can hold references to one or many such connection\nstructs depending on the requested operations.\n\nWhen using libcurl's multi interface, an application performs transfers by\nadding one or more easy handles to the multi handle and then it can drive all\nthose transfers in parallel.\n\nDue to a flaw, libcurl could leave a pointer to a freed connection struct\ndangling in an easy handle that was previously added to a multi handle when\n`curl_multi_cleanup()` is called with an easy handle still added to it. This\ndoes not seem to cause any notable harm if the handle is then closed properly.\n\nHowever, if the easy handle would instead get used again with the easy\ninterface and `curl_easy_perform()` to do another transfer, it would blindly\nuse the connection struct pointer now pointing to freed memory.\n\nAn application could be made to allocate its own fake version of the connect\nstruct, fill in some data and then have the `curl_easy_perform()` call do\nsomething that clearly was not intended by the original code.\n\nFor example, this could be an application using a component or library that\nuses libcurl to do something against fixed URLs or fixed hostnames or with a\nset of fixed options, but using this flaw the application can then make the\ncomponent to do something completely different and unintended.\n\nPseudo code for a bad application\n\n    easy = curl_easy_init();\n    curl_easy_setopt(easy, CURLOPT_URL, \"http://example.com/\");\n\n    // --- start of code to confuse libcurl ---\n    multi = curl_multi_init();\n    curl_multi_add_handle(multi, easy);\n    curl_multi_perform(multi, &still_running);\n    curl_multi_cleanup(multi);\n\n    // --- attack code\n    allocate_fake_connection_struct()\n    fill_in_fake_connection_struct()\n\n    // ---- end of confusion code\n\n    // now this is called, it will not use example.com at all even if the\n    // option above asks for it...\n\n    curl_easy_perform(easy);\n\nThis flaw can also be exploited using libcurl bindings in other languages.","aliases":["CVE-2016-5421"],"modified":"2024-06-07T13:53:51Z","published":"2016-08-03T08:00:00Z","database_specific":{"package":"curl","last_affected":"7.50.0","severity":"High","URL":"https://curl.se/docs/CVE-2016-5421.json","www":"https://curl.se/docs/CVE-2016-5421.html","affects":"lib","CWE":{"desc":"Use After Free","id":"CWE-416"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.32.0"},{"fixed":"7.50.1"}]}],"versions":["7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2016-5421.json"}}],"schema_version":"1.7.3","credits":[{"name":"Marcelo Echeverria","type":"FINDER"},{"name":"Fernando Muñoz","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}