fix race condition and potential crash in curl usage; release 1.4.4.1

in oauth2_url_encode / oauth2_url_decode
see OpenIDC/mod_oauth2#27; thanks @rtitle

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

Author: zandbelt

AUTHORS

@@ -10,3 +10,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Alexander Bokovoy <https://github.com/abbra>
 	Niebardzo <https://github.com/niebardzo>
 	Mikael Broadfoot <https://github.com/broadfootmi>
+	Robert Title <https://github.com/rtitle>

ChangeLog

@@ -1,3 +1,8 @@
+03/03/2022
+- fix race condition and potential crash in curl usage in oauth2_url_decode
+  see zmartzone/mod_oauth2#27; thanks @rtitle
+- release 1.4.4.1
+
 12/23/2021
 - allow deprecated declarations to build with OpenSSL 3.0; see #31
 - release 1.4.4

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([liboauth2],[1.4.4],[hans.zandbelt@zmartzone.eu])
+AC_INIT([liboauth2],[1.4.4.1],[hans.zandbelt@zmartzone.eu])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])

src/cache.c

@@ -273,9 +273,11 @@ static const char *_oauth_cache_get_enc_key(oauth2_log_t *log,
 		cache->enc_key = oauth2_strdup(passphrase);
 	} else {
 		//		if (oauth2_jose_hash_bytes(log,
-		//passphrase_hash_algo, 					   (const unsigned char *)passphrase,
-		//					   strlen(passphrase),
-		//&cache->enc_key, 					   &enc_key_len) == false) {
+		// passphrase_hash_algo,
+		// (const unsigned char *)passphrase,
+		// strlen(passphrase),
+		//&cache->enc_key,
+		//&enc_key_len) == false) {
 		if (oauth2_jose_hash2s(log, passphrase_hash_algo, passphrase,
 				       &cache->enc_key) == false) {
 			oauth2_error(

src/util.c

@@ -24,6 +24,7 @@
 #include <ctype.h>
 #include <string.h>
 
+#include "oauth2/ipc.h"
 #include "oauth2/log.h"
 #include "oauth2/mem.h"
 #include "oauth2/util.h"
@@ -40,16 +41,20 @@
 #include "cfg_int.h"
 
 static CURL *_s_curl = NULL;
-static oauth2_uint_t _curl_refcount = 0;
+static oauth2_ipc_mutex_t *_curl_mutex = NULL;
 
 oauth2_log_t *oauth2_init(oauth2_log_level_t level, oauth2_log_sink_t *sink)
 {
+	oauth2_log_t *log = NULL;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	// TODO: align flags/call with memory initialization in mem.c
 	//       possibly providing alloc funcs as part of init?
 	curl_global_init(CURL_GLOBAL_ALL);
-	return oauth2_log_init(level, sink);
+	log = oauth2_log_init(level, sink);
+	_curl_mutex = oauth2_ipc_mutex_init(log);
+	oauth2_ipc_mutex_post_config(log, _curl_mutex);
+	return log;
 }
 
 void oauth2_shutdown(oauth2_log_t *log)
@@ -61,6 +66,10 @@ void oauth2_shutdown(oauth2_log_t *log)
 		curl_easy_cleanup(_s_curl);
 		_s_curl = NULL;
 	}
+	if (_curl_mutex != NULL) {
+		oauth2_ipc_mutex_free(log, _curl_mutex);
+		_curl_mutex = NULL;
+	}
 	curl_global_cleanup();
 	EVP_cleanup();
 	ERR_free_strings();
@@ -243,23 +252,19 @@ int oauth2_strnenvcmp(const char *a, const char *b, int len)
 
 static CURL *oauth2_curl_init(oauth2_log_t *log)
 {
+	oauth2_ipc_mutex_lock(log, _curl_mutex);
 	if (_s_curl == NULL) {
 		_s_curl = curl_easy_init();
 		if (_s_curl == NULL) {
 			oauth2_error(log, "curl_easy_init() error");
 		}
 	}
-	_curl_refcount++;
 	return _s_curl;
 }
 
-static void oauth2_curl_free(CURL *curl)
+static void oauth2_curl_free(oauth2_log_t *log, CURL *curl)
 {
-	_curl_refcount--;
-	if ((_curl_refcount == 0) && (_s_curl)) {
-		curl_easy_cleanup(_s_curl);
-		_s_curl = NULL;
-	}
+	oauth2_ipc_mutex_unlock(log, _curl_mutex);
 }
 
 char *oauth2_url_encode(oauth2_log_t *log, const char *src)
@@ -290,7 +295,7 @@ char *oauth2_url_encode(oauth2_log_t *log, const char *src)
 	if (rc)
 		curl_free(rc);
 	if (curl)
-		oauth2_curl_free(curl);
+		oauth2_curl_free(log, curl);
 
 	oauth2_debug(log, "leave: %s", dst);
 
@@ -340,7 +345,7 @@ char *oauth2_url_decode(oauth2_log_t *log, const char *src)
 	if (replaced)
 		oauth2_mem_free(replaced);
 	if (curl)
-		oauth2_curl_free(curl);
+		oauth2_curl_free(log, curl);
 
 	oauth2_debug(log, "leave: %s", dst);