curl库doh_write_cb函数内存泄漏漏洞分析

本文详细分析了curl库中doh_write_cb函数存在的一个内存泄漏问题,包括漏洞复现步骤、堆栈跟踪信息以及开发团队的修复过程,涉及curl 8.13.0-DEV版本在DNS over HTTPS处理过程中的资源管理问题。

内存泄漏来自doh_write_cb函数

漏洞摘要

curl_fuzzer_http发现了一个内存泄漏问题

受影响版本

curl 8.13.0-DEV (x86_64-apple-darwin23.6.0)
libcurl/8.13.0-DEV OpenSSL/1.0.2n zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 nghttp2/1.55.1 librtmp/2.3
发布日期: [未发布]
协议支持: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp ws wss
功能特性: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets

复现步骤

使用复现程序运行fuzzer

支持材料/参考

堆栈跟踪如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

==14==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 107 byte(s) in 1 object(s) allocated from:
    #0 0x55da4969379c in realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:82:3
    #1 0x55da496ff27b in curl_dbg_realloc /src/curl/lib/memdebug.c:265:9
    #2 0x55da497fc6f3 in dyn_nappend /src/curl/lib/dynbuf.c:111:15
    #3 0x55da497faee5 in doh_write_cb /src/curl/lib/doh.c:183:6
    #4 0x55da497f2636 in cw_out_ptr_flush /src/curl/lib/cw-out.c:224:16
    #5 0x55da497f1644 in cw_out_do_write /src/curl/lib/cw-out.c:383:14
    #6 0x55da497f0ab6 in cw_out_write /src/curl/lib/cw-out.c:416:14
    #7 0x55da497f2f62 in cw_pause_write /src/curl/lib/cw-pause.c:192:14
    #8 0x55da497476e1 in Curl_cwriter_write /src/curl/lib/sendf.c:184:10
    #9 0x55da497476e1 in cw_download_write /src/curl/lib/sendf.c:312:14
    #10 0x55da497415b9 in Curl_cwriter_write /src/curl/lib/sendf.c:184:10
    #11 0x55da497415b9 in Curl_client_write /src/curl/lib/sendf.c:92:12
    #12 0x55da498363a5 in Curl_http_write_resp /src/curl/lib/http.c:4201:14
    #13 0x55da49762635 in Curl_xfer_write_resp /src/curl/lib/transfer.c:862:14
    #14 0x55da4975e364 in sendrecv_dl /src/curl/lib/transfer.c:342:14
    #15 0x55da4975e364 in Curl_sendrecv /src/curl/lib/transfer.c:441:14
    #16 0x55da497250f5 in state_performing /src/curl/lib/multi.c:1733:12
    #17 0x55da497250f5 in multi_runsingle /src/curl/lib/multi.c:2423:12
    #18 0x55da497222f2 in curl_multi_perform /src/curl/lib/multi.c:2599:16
    #19 0x55da496d3e98 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:419:5
    #20 0x55da496d2e47 in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:97:3

需要传递-runs=100参数,如:/out/curl_fuzzer_http /out/leak-247f5201c537eecc44d9f44dd815fd43f19a8a72 -runs=100,因为并非每次都会出现该问题

影响

内存泄漏可能最终导致拒绝服务(DOS)…

后续讨论

  • 报告者认为这可能不是安全问题而是信息性问题
  • curl团队确认该问题存在于DNS over HTTPS(doh.c)处理过程中,泄漏量小且不频繁
  • 团队提供了修复PR(#16834)并确认已合并
  • 报告者验证修复后确认问题已解决
  • 最终该报告被标记为"Informative"而非安全漏洞
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次