cURL / Mailing Lists / curl-library / Single Mail

curl-library

Error buffer overflow

From: James Bursa <bursa_at_users.sourceforge.net>
Date: Sat, 25 Oct 2003 22:34:02 +0100

I've found that buffer set by CURLOPT_ERRORBUFFER may be written to one byte
more than CURL_ERROR_SIZE. The documentation states "The buffer must be at
least CURL_ERROR_SIZE big", which I interpret as meaning that a buffer of
size CURL_ERROR_SIZE is acceptable. The overflow occurs when you attempt to
access a local file with a very long name which doesn't exist.

There are two different places in libcurl which may overflow. If the URL is
exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is set,
then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line 160).
(The 13 is for "Couldn't open file ".)

If the URL is anything longer then curl_mvsnprintf() writes a 0 at the same
position (line 994). I think this is different behaviour from usual
vsnprintf().

A test case is attached. Comment out line 18 to get the second case.

James

-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/

Received on 2003-10-25