cURL / Mailing Lists / curl-library / Single Mail

curl-library

Serious bug in 7.10

From: Craig Davison <cd_at_securityfocus.com>
Date: Tue, 8 Oct 2002 11:38:16 -0600

Hello,

I found what might be a bug in curl 7.10 when using HTTPS and the CURLOPT_HEADERFUNCTION option. I suspect the bug is caused by heap corruption.

Basically, curl passes text data with large blocks of null bytes in the middle to the HEADERFUNCTION function. I've attached a program that reproduces this. Here's an output sample:
Content-Type: text^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@/html^M^J
This also happens with curl 7.10 with HTTP through a stunnel tunnel!

Here's the same data using curl 7.9.8 or below:
Content-Type: text/html^M^J

I attempted to get around this in a project I'm working on by ignoring the null bytes in my HEADERFUNCTION function. While this allowed me to get the headers correctly, curl was unstable and produced random errors when I used curl_formadd. I've seen that call fail when the heap is corrupt.

As I said, a sample program is attached. I've only found two websites that produce this failure, and both of them happen to be securityfocus sites :P. I'll use analyzer.securityfocus.com as an example.

To use the sample program:
./https_headers_bug https://analyzer.securityfocus.com/

To test with stunnel:
stunnel -d localhost:1234 -c -r analyzer.securityfocus.com:443
./https_headers_bug http://localhost:1234/

You'll want to pipe these through more. The program spits out all the data it receives in the DATA: lines (this is the interesting part), and then spits out the first 1000 bytes of the header and body in the HEADER and BODY sections (ignore these).

I've performed these tests with openssl 0.9.6, 0.9.6a and 0.9.6b on OpenBSD 2.9, FreeBSD 4.5 and RedHat 7.3. The "working" versions of curl were 7.9.5 and 7.9.8. On one of the boxes, stunnel was statically linked to openssl 0.9.6g (the latest version).

-- 
Craig Davison
Symantec Corporation
+1 (403) 213-3939 ext. 228

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

text/plain attachment: https_headers_bug.c

Received on 2002-10-08

This message: [ Message body ]
Next message: Craig Davison: "Re: Serious bug in 7.10"
Previous message: U-BLENDERAdministrator: "Re: Can't connect: how to find out why ?"
Next in thread: Craig Davison: "Re: Serious bug in 7.10"
Reply: Craig Davison: "Re: Serious bug in 7.10"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]