cURL / Mailing Lists / curl-library / Single Mail


Error buffer overflow

From: James Bursa <>
Date: Sat, 25 Oct 2003 22:34:02 +0100

I've found that buffer set by CURLOPT_ERRORBUFFER may be written to one byte
more than CURL_ERROR_SIZE. The documentation states "The buffer must be at
least CURL_ERROR_SIZE big", which I interpret as meaning that a buffer of
size CURL_ERROR_SIZE is acceptable. The overflow occurs when you attempt to
access a local file with a very long name which doesn't exist.

There are two different places in libcurl which may overflow. If the URL is
exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is set,
then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line 160).
(The 13 is for "Couldn't open file ".)

If the URL is anything longer then curl_mvsnprintf() writes a 0 at the same
position (line 994). I think this is different behaviour from usual

A test case is attached. Comment out line 18 to get the second case.


This email is sponsored by: The Donation Program.
Do you like what is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here:

Received on 2003-10-25