Bug 996793 - compiling curl example sendrecv.c with -O0 NULLs a variable.
compiling curl example sendrecv.c with -O0 NULLs a variable.
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: gcc (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Jelinek
qe-baseos-tools
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-13 20:29 EDT by Leonard den Ottolander
Modified: 2014-04-21 13:02 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-14 10:58:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leonard den Ottolander 2013-08-13 20:29:12 EDT
Description of problem:

Try compiling the libcurl-devel-7.19.7-37 example sendrecv.c:

$ gcc sendrecv.c -lcurl -o sendrecv

(implicit -O0)

Compile and linking go well but executing the resulting binary fails. After the call to curl_easy_getinfo(curl, CURLINFO_LASTSOCKET, &sockfd) the parameter curl is set to NULL, making the following curl_easy_send() fail.

I first suspected this to be a curl bug but this seems not to be the case.

When using another optimization level (say -O1 or -O2) the resulting binary behaves as expected.


Version-Release number of selected component (if applicable):

gcc-4.4.7-3.el6.x86_64
Comment 2 Marek Polacek 2013-08-14 00:29:49 EDT
Please provide preprocessed testcase.
Comment 3 Leonard den Ottolander 2013-08-14 07:42:08 EDT
What do you mean by a preprocessed test case? Do you want me to send you a precompiled binary?

The file sendrecv.c can be found in libcurl-devel-7.19.7-36.el6_4.x86_64.rpm under /usr/share/doc/libcurl-devel-7.19.7.

If you build the file as per the above instructions you will see that on execution the resulting binary terminates with the message "Error: A libcurl function was given a bad argument". This is caused by the parameter curl having been set to NULL and being passed to curl_easy_send() as such. (You can verify that the error is caused by having been passed a NULL value from the curl sources.)

This setting to NULL is something the compiler does, it does NOT happen in curl. I added some printfs in various curl functions to verify this. The variable curl is still set when leaving curl_easy_getinfo() but unset right after returning on line 71 in sendrecv.c.

Building the same file with -O1 or -O2 results in a correct binary.
Comment 4 Marek Polacek 2013-08-14 07:52:53 EDT
No, I need the sendrecv.i file generated by adding -save-temps to the command line options.  This preprocessed file should fail with -O0, but work with -O, as you say.

For more info see http://gcc.gnu.org/bugs/ .
Comment 5 Jakub Jelinek 2013-08-14 10:58:04 EDT
That testcase is just invalid.  If you look at curl.h, you'll see that
for CURLINFO_LASTSOCKET (and many others) you need to call it with address of a long variable, but it is called with address of sockfd which has type int rather than long.  So there is buffer overflow in the program.
Comment 6 Leonard den Ottolander 2013-08-14 13:46:42 EDT
Thanks for clearing this up. Indeed using a long for sockfd fixes the issue. So this is a bug in curl after all, even if just in an example.

Comparing the example in curl-7.32.0 shows the issue is indeed fixed upstream. sockfd is now of type curl_socket_t.

Note You need to log in before you can comment on or make changes to this bug.