Bugs item #2026240, was opened at 2008-07-24 01:50
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2026240&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: bad behaviour
>Status: Closed
Resolution: Accepted
Priority: 7
Private: No
Submitted By: David Bau (davidbau)
Assigned to: Daniel Stenberg (bagder)
Summary: CURL_READFUNC_PAUSE leads to buffer overrun

Initial Comment:
If you return CURL_READFUNC_PAUSE from a read callback, you end up in transfer.c returning CURLE_OK from Curl_fillreadbuffer, without ever assigning to *nreadp. This leads to buffer overreading and garbage being sent on the socket.

The fix is to make sure *nreadp is assigned before exiting the function.

There is also a second problem with CURL_READFUNC_PAUSE: pausing the read callback should pause socket sends, not socket recv's. I.e., it should set KEEP_WRITE_PAUSE, not KEEP_READ_PAUSE.

A diff fixing both issues is included.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2008-07-26 23:16

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks, patch applied and committed just now!

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-07-25 23:41

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks a lot, I'm looking at it and it looks accurate and fine so far!

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2026240&group_id=976
Received on 2008-07-26