stefantalpalaru/transmission-use-after-free-curl-HEAD.txt Secret

## transmission-use-after-free-curl-HEAD.txt
=================================================================
==5558==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000c81df0 at pc 0x7f549a073309 bp 0x7f548f79b580 sp 0x7f548f79ad28
READ of size 3 at 0x603000c81df0 thread T20
    #0 0x7f549a073308 in strdup (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73308)
    #1 0x7f5499fd6abe in Curl_ssl_addsessionid /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/vtls.c:514
    #2 0x7f5499fcff3f in ossl_new_session_cb /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/openssl.c:2981
    #3 0x7f549a757166 in ssl_update_cache ssl/ssl_lib.c:3566
    #4 0x7f549a7712c3 in tls_process_new_session_ticket ssl/statem/statem_clnt.c:2748
    #5 0x7f549a76c438 in read_state_machine ssl/statem/statem.c:636
    #6 0x7f549a76c438 in state_machine ssl/statem/statem.c:434
    #7 0x7f549a73f06a in ssl3_read_bytes ssl/record/rec_layer_s3.c:1670
    #8 0x7f549a747c2f in ssl3_read_internal ssl/s3_lib.c:4477
    #9 0x7f549a747c2f in ssl3_read ssl/s3_lib.c:4500
    #10 0x7f549a754d62 in SSL_read ssl/ssl_lib.c:1799
    #11 0x7f5499fd0640 in ossl_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/openssl.c:4615
    #12 0x7f5499fd5637 in ssl_cf_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/vtls.c:1558
    #13 0x7f5499f8ea54 in h2_cf_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/http2.c:1788
    #14 0x7f5499fad758 in Curl_read /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/sendf.c:699
    #15 0x7f5499fbd068 in readwrite_data /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/transfer.c:461
    #16 0x7f5499fbd068 in Curl_readwrite /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/transfer.c:1108
    #17 0x7f5499fa3403 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:2420
    #18 0x7f5499fa4f6b in curl_multi_perform /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:2698
    #19 0x56450559a944 in tr_web::Impl::curlThreadFunc() /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:684
    #20 0x7f54984d82de  (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libstdc++.so.6+0xd82de)
    #21 0x7f54981c89a2 in start_thread /var/tmp/portage/sys-libs/glibc-2.36-r6/work/glibc-2.36/nptl/pthread_create.c:442
    #22 0x7f549824b48b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x603000c81df0 is located 0 bytes inside of 23-byte region [0x603000c81df0,0x603000c81e07)
freed by thread T20 here:
    #0 0x7f549a0bec68  (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0xbec68)
    #1 0x7f5499fc37e3 in reuse_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3374
    #2 0x7f5499fc37e3 in create_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3727
    #3 0x7f5499fc37e3 in Curl_connect /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3933
    #4 0x7f5499fa38c0 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:1942

previously allocated by thread T20 here:
    #0 0x7f549a073348 in strdup (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73348)
    #1 0x7f5499fc1687 in parseurlandfillconn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:1857
    #2 0x7f5499fc1687 in create_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3452
    #3 0x7f5499fc1687 in Curl_connect /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3933
    #4 0x7f5499fa38c0 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:1942

Thread T20 created by T0 here:
    #0 0x7f549a04a741 in __interceptor_pthread_create (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x4a741)
    #1 0x7f54984d83a4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libstdc++.so.6+0xd83a4)
    #2 0x56450558b3d4 in std::__detail::_MakeUniq<tr_web::Impl>::__single_object std::make_unique<tr_web::Impl, tr_web::Mediator&>(tr_web::Mediator&) /usr/lib/gcc/x86_64-pc-linux-gnu/12/include/g++-v12/bits/unique_ptr.h:1065
    #3 0x56450558b3d4 in tr_web::tr_web(tr_web::Mediator&) /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:765
    #4 0x56450558b3d4 in tr_web::create(tr_web::Mediator&) /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:776

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73308) in strdup
Shadow bytes around the buggy address:
  0x0c0680188360: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c0680188370: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c0680188380: fa fa fd fd fd fd fa fa 00 00 01 fa fa fa 00 00
  0x0c0680188390: 01 fa fa fa 00 00 00 00 fa fa 00 00 01 fa fa fa
  0x0c06801883a0: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
=>0x0c06801883b0: fa fa fd fd fd fd fa fa 00 00 07 fa fa fa[fd]fd
  0x0c06801883c0: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
  0x0c06801883d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c06801883e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c06801883f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c0680188400: 00 00 06 fa fa fa fd fd fd fd fa fa 00 00 06 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5558==ABORTING
	=================================================================
	==5558==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000c81df0 at pc 0x7f549a073309 bp 0x7f548f79b580 sp 0x7f548f79ad28
	READ of size 3 at 0x603000c81df0 thread T20
	#0 0x7f549a073308 in strdup (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73308)
	#1 0x7f5499fd6abe in Curl_ssl_addsessionid /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/vtls.c:514
	#2 0x7f5499fcff3f in ossl_new_session_cb /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/openssl.c:2981
	#3 0x7f549a757166 in ssl_update_cache ssl/ssl_lib.c:3566
	#4 0x7f549a7712c3 in tls_process_new_session_ticket ssl/statem/statem_clnt.c:2748
	#5 0x7f549a76c438 in read_state_machine ssl/statem/statem.c:636
	#6 0x7f549a76c438 in state_machine ssl/statem/statem.c:434
	#7 0x7f549a73f06a in ssl3_read_bytes ssl/record/rec_layer_s3.c:1670
	#8 0x7f549a747c2f in ssl3_read_internal ssl/s3_lib.c:4477
	#9 0x7f549a747c2f in ssl3_read ssl/s3_lib.c:4500
	#10 0x7f549a754d62 in SSL_read ssl/ssl_lib.c:1799
	#11 0x7f5499fd0640 in ossl_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/openssl.c:4615
	#12 0x7f5499fd5637 in ssl_cf_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/vtls/vtls.c:1558
	#13 0x7f5499f8ea54 in h2_cf_recv /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/http2.c:1788
	#14 0x7f5499fad758 in Curl_read /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/sendf.c:699
	#15 0x7f5499fbd068 in readwrite_data /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/transfer.c:461
	#16 0x7f5499fbd068 in Curl_readwrite /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/transfer.c:1108
	#17 0x7f5499fa3403 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:2420
	#18 0x7f5499fa4f6b in curl_multi_perform /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:2698
	#19 0x56450559a944 in tr_web::Impl::curlThreadFunc() /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:684
	#20 0x7f54984d82de (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libstdc++.so.6+0xd82de)
	#21 0x7f54981c89a2 in start_thread /var/tmp/portage/sys-libs/glibc-2.36-r6/work/glibc-2.36/nptl/pthread_create.c:442
	#22 0x7f549824b48b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

	0x603000c81df0 is located 0 bytes inside of 23-byte region [0x603000c81df0,0x603000c81e07)
	freed by thread T20 here:
	#0 0x7f549a0bec68 (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0xbec68)
	#1 0x7f5499fc37e3 in reuse_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3374
	#2 0x7f5499fc37e3 in create_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3727
	#3 0x7f5499fc37e3 in Curl_connect /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3933
	#4 0x7f5499fa38c0 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:1942

	previously allocated by thread T20 here:
	#0 0x7f549a073348 in strdup (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73348)
	#1 0x7f5499fc1687 in parseurlandfillconn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:1857
	#2 0x7f5499fc1687 in create_conn /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3452
	#3 0x7f5499fc1687 in Curl_connect /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/url.c:3933
	#4 0x7f5499fa38c0 in multi_runsingle /var/tmp/portage/net-misc/curl-9999/work/curl-9999/lib/multi.c:1942

	Thread T20 created by T0 here:
	#0 0x7f549a04a741 in __interceptor_pthread_create (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x4a741)
	#1 0x7f54984d83a4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libstdc++.so.6+0xd83a4)
	#2 0x56450558b3d4 in std::__detail::_MakeUniq<tr_web::Impl>::__single_object std::make_unique<tr_web::Impl, tr_web::Mediator&>(tr_web::Mediator&) /usr/lib/gcc/x86_64-pc-linux-gnu/12/include/g++-v12/bits/unique_ptr.h:1065
	#3 0x56450558b3d4 in tr_web::tr_web(tr_web::Mediator&) /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:765
	#4 0x56450558b3d4 in tr_web::create(tr_web::Mediator&) /src/77_DLD/CODE/00_github/transmission/libtransmission/web.cc:776

	SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/gcc/x86_64-pc-linux-gnu/12/libasan.so.8+0x73308) in strdup
	Shadow bytes around the buggy address:
	0x0c0680188360: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
	0x0c0680188370: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
	0x0c0680188380: fa fa fd fd fd fd fa fa 00 00 01 fa fa fa 00 00
	0x0c0680188390: 01 fa fa fa 00 00 00 00 fa fa 00 00 01 fa fa fa
	0x0c06801883a0: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
	=>0x0c06801883b0: fa fa fd fd fd fd fa fa 00 00 07 fa fa fa[fd]fd
	0x0c06801883c0: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
	0x0c06801883d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
	0x0c06801883e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
	0x0c06801883f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
	0x0c0680188400: 00 00 06 fa fa fa fd fd fd fd fa fa 00 00 06 fa
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	==5558==ABORTING