cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: crash in libcurl - Symbian

From: Frank McGeough <fmcgeough_at_mac.com>
Date: Mon, 18 May 2009 06:03:49 -0700

The problem is that the socket send call is returning a bytes_written that is larger than len (number of bytes we're requesting to write). This is a clear bug in the socket library. I'm not sure whether this happens only on the emuator (which is ultimately using Windows sockets) or occurs on device as well. I'm reporting this issue to Nokia.
 
On Sunday, May 17, 2009, at 07:41PM, "Frank McGeough" <fmcgeough_at_mac.com> wrote:
>After tracing through the code a bit the problem occurs in transfer.c
>in :
>
>static CURLcode readwrite_upload(struct SessionHandle *data,
> struct connectdata *conn,
> struct SingleRequest *k,
> int *didwhat)
>
>The local variable bytes_written is set to a value greater than data-
> >req.upload_present. The statements where I see the problem are :
>
> if(data->req.upload_present != bytes_written) {
> /* we only wrote a part of the buffer (if anything), deal with
>it! */
>
> /* store the amount of bytes left in the buffer to write */
> data->req.upload_present -= bytes_written;
>
>The if statement evaluates to true but the code's assumption is that
>bytes_written will never be greater than data->req_upload_present.
>Still tracing to see why this is not true in my case.
>
>On May 17, 2009, at 6:44 PM, Frank McGeough wrote:
>
>> After getting libcurl to compile for Symbian - Nokia 5th edition SDK
>> 1,0 - I began implementing a protocol that sits on top of HTTP/
>> HTTPS. Although simple GETs and POSTs work fine. A GET with my own
>> headers supplied crashes with a memory overrun down in curlib.
>> Perhaps I'm doing something wrong but I've narrowed the code down as
>> much as I can and its just not doing that much. Here it is :
>>
>> void testGetWithHeaders(char* url)
>> {
>> CURL *curl;
>> CURLcode curl_result;
>>
>> curl = curl_easy_init();
>>
>> if (curl)
>> {
>> curl_easy_setopt(curl, CURLOPT_URL, url);
>> struct curl_slist *headers=NULL;
>> headers = curl_slist_append(headers, "x-mm-clientid: nmm:xyz3.1$oper_at_nok.b71.cyld
>> ");
>> headers = curl_slist_append(headers, "x-mm-commandid: 2");
>> headers = curl_slist_append(headers, "x-mm-cookie:
>> NIC=NIC-7668-27");
>> headers = curl_slist_append(headers, "x-mm-cookie:
>> PIC=PIC-7668-28");
>> curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
>>
>> curl_result = curl_easy_perform(curl);
>> curl_easy_cleanup(curl);
>> if (curl_result == CURLE_OK)
>> {
>> std::cout << "OK!" << std::endl;
>> }
>> else
>> {
>> // something went wrong - error code is in curl_result
>> std::cout << "libcurl error code #" << curl_result <<
>> std::endl;
>> }
>> }
>> }
>>
>> The crash occurs in curl_easy_perform. It looks like after the GET
>> returns with the data (the server sends back HTTP/1.1 200 OK), the
>> curlib attempts to write a giant amount of data back. This is
>> because data->req.upload_present is set to -103. That value gets
>> passed in as size_t len in :
>>
>> CURLcode Curl_write(struct connectdata *conn, curl_socket_t sockfd,
>> const void *mem, size_t len, ssize_t *written)
>>
>> and becomes 4294967188.
>>
>> If anyone has suggestions to track this down further or some idea of
>> something stupid that I'm doing they'd be appreciated. thanks.
>
>
Received on 2009-05-18