Bug#1007739: curl breaks stenographer autopkgtest: curl: (27) Out of memory

Fri, 18 Mar 2022 09:27:17 -0700 

I can confirm this is the same bug (the test log errors at the end of
stenocurl, which passes --cacert "$CERTPATH/ca_cert.pem"). This can be
trivially reproduced by running
-- >8 --
$ openssl req -x509 -newkey rsa:4096 -sha256 -days 1 -nodes -keyout 
"/tmp/snakeoil.key" -out "/tmp/snakeoil.crt" -subj "/CN=localhost"
Generating a RSA private key
....................++++
...............++++
writing new private key to '/tmp/snakeoil.key'
-----
$ python3 -uc "
import http.server, ssl, sys, os, time, random

sys.stdin.close()

httpd, err, port = None, None, None
for i in range(1, 100):
        port = random.randint(0xC000, 0xFFFF) # ephemeral range
        try:
                httpd = http.server.HTTPServer(('localhost', port), 
http.server.SimpleHTTPRequestHandler)
                break
        except:
                err = sys.exc_info()[1]
                time.sleep(i / 100)
if not httpd:
        raise err

with open('/tmp/snakeoil.port', 'w') as portf:
        print(port, file=portf)

httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, 
keyfile='/tmp/snakeoil.key', certfile='/tmp/snakeoil.crt', 
ssl_version=ssl.PROTOCOL_TLS)

print('{} start on {}'.format(os.getpid(), port))
httpd.serve_forever()
" &

$ read -r port < /tmp/snakeoil.port
$ curl --cacert /tmp/snakeoil.crt https://localhost:$port
curl: (27) Out of memory
$ curl --insecure https://localhost:$port 2>/dev/null | wc
127.0.0.1 - - [18/Mar/2022 15:16:46] "GET / HTTP/1.1" 200 -
     66     133    2570
-- >8 --

As well as any program that uses libcurl's CURLOPT_CAINFO:
-- >8 --
# SSL_CA_CERT_FILE=/tmp/snakeoil.crt zfs create -o encryption=on -o 
keyformat=passphrase -o keylocation=https://localhost:$port/PASSPHRASE 
testpool/testfs2
cannot create 'testpool/testfs2': Failed to connect to 
https://localhost:55645/PASSPHRASE: Out of memory
-- >8 --

I've rebuilt curl 7.82.0-1+b1 with upstream commit
  https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136
which fixes this (and applies cleanly), and can also confirm that it
fixes the issue at hand:
-- >8 --
$ curl --cacert /tmp/snakeoil.crt https://localhost:$port 2>/dev/null | wc
127.0.0.1 - - [18/Mar/2022 16:14:26] "GET / HTTP/1.1" 200 -
     45      91    2530
# SSL_CA_CERT_FILE=/tmp/snakeoil.crt zfs create -o encryption=on -o 
keyformat=passphrase -o keylocation=https://localhost:56107/PASSPHRASE 
testpool/testfs2
$ zfs get keylocation testpool/testfs2
testpool/testfs2        keylocation     https://localhost:56107/PASSPHRASE local
-- >8 --

If a release with the fix isn't coming out in the near future I think
it'd be nice if a -2 package were published with that commit in as a
patch; this, clearly, breaks primarily autotests (indeed, this driver
is extracted verbatim from the ZFS test suite).

Best,
наб

Attachment: signature.asc
Description: PGP signature

Reply via email to