cURL / Mailing Lists / curl-library / Single Mail


Serious bug in 7.10

From: Craig Davison <>
Date: Tue, 8 Oct 2002 11:38:16 -0600


I found what might be a bug in curl 7.10 when using HTTPS and the CURLOPT_HEADERFUNCTION option. I suspect the bug is caused by heap corruption.

Basically, curl passes text data with large blocks of null bytes in the middle to the HEADERFUNCTION function. I've attached a program that reproduces this. Here's an output sample:
Content-Type: text^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
This also happens with curl 7.10 with HTTP through a stunnel tunnel!

Here's the same data using curl 7.9.8 or below:
Content-Type: text/html^M^J

I attempted to get around this in a project I'm working on by ignoring the null bytes in my HEADERFUNCTION function. While this allowed me to get the headers correctly, curl was unstable and produced random errors when I used curl_formadd. I've seen that call fail when the heap is corrupt.

As I said, a sample program is attached. I've only found two websites that produce this failure, and both of them happen to be securityfocus sites :P. I'll use as an example.

To use the sample program:

To test with stunnel:
stunnel -d localhost:1234 -c -r
./https_headers_bug http://localhost:1234/

You'll want to pipe these through more. The program spits out all the data it receives in the DATA: lines (this is the interesting part), and then spits out the first 1000 bytes of the header and body in the HEADER and BODY sections (ignore these).

I've performed these tests with openssl 0.9.6, 0.9.6a and 0.9.6b on OpenBSD 2.9, FreeBSD 4.5 and RedHat 7.3. The "working" versions of curl were 7.9.5 and 7.9.8. On one of the boxes, stunnel was statically linked to openssl 0.9.6g (the latest version).

Craig Davison
Symantec Corporation
+1 (403) 213-3939 ext. 228

This email is sponsored by:ThinkGeek
Welcome to geek heaven.

Received on 2002-10-08