Daniel,

On Wed, Sep 23, 2009 at 11:22:09PM +0200, Daniel Stenberg wrote:
> On Wed, 23 Sep 2009, johansen_at_sun.com wrote:
>
>>> arguably you could be handed an endless header and obliterate all
>>> memory. I put a configurable max header size (default to 2mb) in
>>> place and work from there.
>>
>> Is this actually a case that we can hit if the client hasn't installed
>> a HEADERFUNCTION? I'm a bit surprised that curl would hold onto all of
>> the headers, instead of just extracting the ones that it cares about.
>
> It doesn't. It does create a buffer large enough to hold a single header
> line, so if you send an enourmously long header line libcurl will
> allocate such a buffer. I guess we could consider a max length for
> sensible headers...

Thanks for clarifying this point.

Perhaps I have misunderstood, but based upon your description, doesn't
this limit what the HEADERFUNCTION can do to defend against such an
attack? If the remote host sends libcurl an arbitrarily long string and
the library allocates space to hold it, then the client will have
allocated a large amount of memory before the HEADERFUNCTION has a
chance to return a write error and abort the transaction. Is the idea
that if the HEADERFUNCTION returns a write error, then we'll free the
header buffer before we get into too much trouble?

Thanks,

-j
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-python
Received on 2009-09-24