• Thomas Haller's avatar
    connectivity: fix crash when removing easy-handle from curl callback · 7f05debf
    Thomas Haller authored
    libcurl does not allow removing easy-handles from within a curl
    callback.
    
    That was already partly avoided for one handle alone. That is, when
    a handle completed inside a libcurl callback, it would only invoke the
    callback, but not yet delete it. However, that is not enough, because
    from within a callback another handle can be cancelled, leading to
    the removal of (the other) handle and a crash:
    
      ==24572==    at 0x40319AB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==24572==    by 0x52DDAE5: Curl_close (url.c:392)
      ==24572==    by 0x52EC02C: curl_easy_cleanup (easy.c:825)
      ==24572==    by 0x5FDCD2: cb_data_free (nm-connectivity.c:215)
      ==24572==    by 0x5FF6DE: nm_connectivity_check_cancel (nm-connectivity.c:585)
      ==24572==    by 0x55F7F9: concheck_handle_complete (nm-device.c:2601)
      ==24572==    by 0x574C12: concheck_cb (nm-device.c:2725)
      ==24572==    by 0x5FD887: cb_data_invoke_callback (nm-connectivity.c:167)
      ==24572==    by 0x5FD959: easy_header_cb (nm-connectivity.c:435)
      ==24572==    by 0x52D73CB: chop_write (sendf.c:612)
      ==24572==    by 0x52D73CB: Curl_client_write (sendf.c:668)
      ==24572==    by 0x52D54ED: Curl_http_readwrite_headers (http.c:3904)
      ==24572==    by 0x52E9EA7: readwrite_data (transfer.c:548)
      ==24572==    by 0x52E9EA7: Curl_readwrite (transfer.c:1161)
      ==24572==    by 0x52F4193: multi_runsingle (multi.c:1915)
      ==24572==    by 0x52F5531: multi_socket (multi.c:2607)
      ==24572==    by 0x52F5804: curl_multi_socket_action (multi.c:2771)
    
    Fix that, by never invoking any callbacks when we are inside a libcurl
    callback. Instead, the handle is marked for completion and queued. Later,
    we complete all queue handles separately.
    
    While at it, drop the @error argument from NMConnectivityCheckCallback.
    It was only used to signal cancellation. Let's instead signal that via
    status NM_CONNECTIVITY_CANCELLED.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=797136
    https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1792745
    https://bugzilla.opensuse.org/show_bug.cgi?id=1107197
    https://github.com/NetworkManager/NetworkManager/pull/207
    
    Fixes: d8a31794
    (cherry picked from commit fa40fc6d)
    7f05debf