cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-1698974 ] Memory leak vulnerability in source file "if2ip.c"

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Thu, 12 Apr 2007 13:09:39 -0700

Bugs item #1698974, was opened at 2007-04-12 09:18
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1698974&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: bad behaviour
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: songma (songmash)
Assigned to: Nobody/Anonymous (nobody)
Summary: Memory leak vulnerability in source file "if2ip.c"

Initial Comment:
Hi,

I found there's one memory problem in source file "if2ip.c". In function "Curl_if2ip()" it has the following statements:

" 85 char *Curl_if2ip(const char *interface, char *buf, int buf_size)
     86 {
     87 int dummy;
     88 char *ip=NULL;
     89
     90 if(!interface)
     91 return NULL;
     92
     93 dummy = socket(AF_INET, SOCK_STREAM, 0);
     94 if (SYS_ERROR == dummy) {
     95 return NULL;
     96 }
     97 else {
     98 struct ifreq req;
     99 size_t len = strlen(interface);
    100 memset(&req, 0, sizeof(req));
    101 if(len >= sizeof(req.ifr_name))
    102 return NULL; /* this can't be a fine interface name */
     ... ...
"

At line 93 it opened a socket and return the socket file descriptor. but at line 102, if the size of system interface name is bigger than the given size "
req.ifr_name" the function will exit and return NULL. However I think the function "Curl_if2ip" shall close the socket it opened at line 93 first thus to release all resource related with it. Otherwise this opened socket will never be closed by someone.

The fix may looks like:
    101 if(len >= sizeof(req.ifr_name)) {
    102 sclose(dummy);
    103 return NULL; /* this can't be a fine interface name */
    104 }

Best Regards,
Song Ma

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2007-04-12 22:09

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks, fix committed!

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1698974&group_id=976
Received on 2007-04-12

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET