curl: CVE-2022-42915: HTTP proxy double-free

This is a finding that Trail of Bits found in their ongoing curl security audit. Reported at a status meeting today.

Summary:

curl frees memory twice in some cleanup function related to HTTP proxies.

It as simple as curl -x http://localhost:80 dict://127.0.0.1

Using valgrind on the current git master, it shows:

==55921== Memcheck, a memory error detector
==55921== Copyright © 2002-2022, and GNU GPL’d, by Julian Seward et al.
==55921== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==55921== Command: ./src/curl -x http://localhost:80 dict://127.0.0.1
==55921== Parent PID: 3035
==55921==
==55921== Invalid free() / delete / delete[] / realloc()
==55921== at 0x484617B: free (vg_replace_malloc.c:872)
==55921== by 0x152464: curl_dbg_free (memdebug.c:297)
==55921== by 0x17E11C: Curl_free_request_state (url.c:2259)
==55921== by 0x179B38: Curl_close (url.c:421)
==55921== by 0x1482DD: curl_easy_cleanup (easy.c:799)
==55921== by 0x1359F4: post_per_transfer (tool_operate.c:657)
==55921== by 0x13D085: serial_transfers (tool_operate.c:2431)
==55921== by 0x13D5FC: run_all_transfers (tool_operate.c:2617)
==55921== by 0x13D972: operate (tool_operate.c:2729)
==55921== by 0x13427C: main (tool_main.c:276)
==55921== Address 0x5b1c790 is 0 bytes inside a block of size 984 free’d
==55921== at 0x484617B: free (vg_replace_malloc.c:872)
==55921== by 0x152464: curl_dbg_free (memdebug.c:297)
==55921== by 0x17AE5E: conn_free (url.c:810)
==55921== by 0x17B132: Curl_disconnect (url.c:893)
==55921== by 0x15D523: multi_runsingle (multi.c:2614)
==55921== by 0x15D7B6: curl_multi_perform (multi.c:2683)
==55921== by 0x147FFB: easy_transfer (easy.c:663)
==55921== by 0x14822C: easy_perform (easy.c:753)
==55921== by 0x148276: curl_easy_perform (easy.c:772)
==55921== by 0x13D064: serial_transfers (tool_operate.c:2429)
==55921== by 0x13D5FC: run_all_transfers (tool_operate.c:2617)
==55921== by 0x13D972: operate (tool_operate.c:2729)
==55921== Block was alloc’d at
==55921== at 0x48485EF: calloc (vg_replace_malloc.c:1328)
==55921== by 0x1521A6: curl_dbg_calloc (memdebug.c:175)
==55921== by 0x1BEC8F: connect_init (http_proxy.c:174)
==55921== by 0x1C02C2: Curl_proxyCONNECT (http_proxy.c:1061)
==55921== by 0x1BEA43: Curl_proxy_connect (http_proxy.c:118)
==55921== by 0x1B67D4: Curl_http_connect (http.c:1551)
==55921== by 0x15C03A: multi_runsingle (multi.c:2027)
==55921== by 0x15D7B6: curl_multi_perform (multi.c:2683)
==55921== by 0x147FFB: easy_transfer (easy.c:663)
==55921== by 0x14822C: easy_perform (easy.c:753)
==55921== by 0x148276: curl_easy_perform (easy.c:772)
==55921== by 0x13D064: serial_transfers (tool_operate.c:2429)
==55921==
==55921==
==55921== HEAP SUMMARY:
==55921== in use at exit: 0 bytes in 0 blocks
==55921== total heap usage: 4,712 allocs, 4,713 frees, 893,816 bytes allocated
==55921==
==55921== All heap blocks were freed – no leaks are possible
==55921==
==55921== For lists of detected and suppressed errors, rerun with: -s
==55921== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Impact

Double-free is nasty