Curl is one of the most popular command-line tools and libraries for transferring data with URLs. It's used in almost every operating system and countless applications. In October 2022, a security vulnerability known as CVE-2022-42915 was identified in curl versions from 7.77. up to (but not including) 7.86.. This bug can cause a double free, a risky memory issue that can lead to program crashes or, in some cases, actual code execution.
This post gives you a clear, accessible rundown of what this bug is, why it happens, and how you can replicate and fix it.
What is a Double Free?
Before we dive in, let’s clarify what a “double free” is.
- In programming, especially C/C++, memory is manually allocated and freed.
- If a chunk of memory is "freed" (released) twice, the program can get confused, potentially causing a crash or allowing an attacker to execute malicious code.
This is a *dangerous* type of bug and is often used by attackers to control program behavior.
Understanding The Vulnerability
Curl supports many protocols. Sometimes, it needs to go through a proxy for a transfer, even for things like FTP, dict, gopher, etc.
Here’s where the bug is
- If curl is told to use an HTTP proxy for a protocol like dict://, gopher://, gophers://, ldap://, ldaps://, rtmp://, rtmps://, or telnet://, it tries to establish a tunnel (using the CONNECT method) through the proxy.
- If the HTTP proxy rejects this tunnel (by returning anything other than a 200 OK), curl tries to clean up.
Due to some logic flaws in the cleanup process, curl ends up freeing the same memory two times.
This leads to a double free, which can crash programs or open up security threats.
To check your curl version
curl --version
How could an attacker exploit this?
- The attacker must have the victim use a curl command that goes through their controlled (malicious or misconfigured) HTTP proxy, with one of the affected protocols in the URL.
- The attacker’s proxy responds to the CONNECT request with a non-200 HTTP status (like 403, 500, etc.).
Curl's handling of this error makes it mistakenly double-free part of its internal structures.
- Depending on the environment and system, this can lead to a crash (denial of service) or, under rare conditions, remote code execution.
Which protocols can trigger the bug?
- dict://
- gopher://
- gophers://
- ldap://
- ldaps://
- rtmp://
- rtmps://
- telnet://
Code Snippet: How the Double Free Can Happen
Let’s see a minimal C example showing double-free behavior, then show how curl’s code had a similar logic error.
Simple Double Free Example in C
#include <stdio.h>
#include <stdlib.h>
int main() {
char *ptr = malloc(100);
free(ptr);
// Oops! free the same pointer again!
free(ptr); // This is the "double free"
return ;
}
Here’s how curl’s own flow could get confused (simplified for clarity)
if (need_proxy) {
proxy_conn = make_proxy_connect();
if (proxy_conn_fail) {
cleanup(proxy_conn); // Frees some memory
/* ... */
cleanup(proxy_conn); // Frees the same memory again!
}
}
The real security advisory and patch show that certain cleanup paths didn’t check if memory had already been released, leading to two frees of the same thing.
`sh
curl --proxy http://yourproxy:port gopher://somehost/
References
- Official curl advisory for CVE-2022-42915
- curl commit fixing the bug
- What is a double free? (Wikipedia)
- curl Changelog 7.86.
Summary:
If you use curl (especially in scripts or server applications), make sure to upgrade to at least 7.86.. Double-free vulnerabilities like CVE-2022-42915 are tricky and can lead to serious security issues, even with such a simple mistake. Stay patched!
Timeline
Published on: 10/29/2022 20:15:00 UTC
Last modified on: 11/14/2022 15:16:00 UTC