cURL / Mailing Lists / curl-library / Single Mail


Re: Error buffer overflow

From: Daniel Stenberg <>
Date: Sun, 26 Oct 2003 16:41:05 +0100 (CET)

On Sat, 25 Oct 2003, James Bursa wrote:

> I've found that buffer set by CURLOPT_ERRORBUFFER may be written to one byte
> more than CURL_ERROR_SIZE. The documentation states "The buffer must be at
> least CURL_ERROR_SIZE big", which I interpret as meaning that a buffer of
> size CURL_ERROR_SIZE is acceptable. The overflow occurs when you attempt to
> access a local file with a very long name which doesn't exist.
> There are two different places in libcurl which may overflow. If the URL is
> exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is set,
> then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line 160).
> (The 13 is for "Couldn't open file ".)
> If the URL is anything longer then curl_mvsnprintf() writes a 0 at the same
> position (line 994). I think this is different behaviour from usual
> vsnprintf().


It is amazing that this bug has been around for so many years without anyone
ever noticing before.

Well done, James! A fix was committed to CVS a few moments ago.

 Daniel Stenberg -- curl: been grokking URLs since 1998
This email is sponsored by: The Donation Program.
Do you like what is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here:
Received on 2003-10-26