Haxx ad

curl's project page on


cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1193 cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()

From: Saran Neti <>
Date: Mon, 11 Feb 2013 22:12:06 +0000

** [bugs:#1193] cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()**
**Status:** open
**Created:** Mon Feb 11, 2013 10:12 PM UTC by Saran Neti
**Last Updated:** Mon Feb 11, 2013 10:12 PM UTC
**Owner:** nobody
While trying to reproduce libcurl SASL buffer overflow (as noted in advisory: using SMTP, I encountered a separate problem that causes cURL to terminate when processing base64 encoded Digest-MD5 challenges. 
Program received signal SIGSEGV, Segmentation fault.
\__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
 (gdb) bt
0  \__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
1  0x00007ffff7bc624f in sasl_digest_get_key_value () from /usr/local/lib/
2  0x00007ffff7bc68d9 in Curl_sasl_create_digest_md5_message () from usr/local/lib/
3  0x00007ffff7bc1247 in smtp_statemach_act () from /usr/local/lib/
4  0x00007ffff7bc02c6 in smtp_multi_statemach () from /usr/local/lib/
5  0x00007ffff7bb4adf in multi_runsingle () from /usr/local/lib/
6  0x00007ffff7bb54e5 in curl_multi_perform () from /usr/local/lib/
7  0x00007ffff7bae3ed in curl_easy_perform () from /usr/local/lib/
8  0x0000000000409e87 in operate ()
9  0x000000000040229a in main ()
The following message exchange between cURL and smtp server should reproduce the problem:
< 220 ESMTP (Ubuntu)
> EHLO .
< Hello .
< 334
< eA==
When the server sends any base 64 encoded string,  in this case "eA==", cURL crashes. 
The problem is because "chlg" is returned as NULL after function call to Curl_base64_decode() in function Curl_sasl_create_digest_md5_message() in libs/curl_sasl.c. 
Tested using:
curl 7.29.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.29.1-DEV cURL -L was used to connect to a http url containing the smtp redirect. 
Compiled from:
git rev-parse HEAD: 463082bea42d8bea751303da340218a18fb67e85
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index d07387d..4d13263 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -283,6 +283,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
     return result;
+  if(chlg == NULL) {
+  }
   /* Retrieve nonce string from the challenge */
   if(!sasl_digest_get_key_value(chlg, "nonce=\"", nonce,
                                 sizeof(nonce), '\"')) {
I'm not on any mailing list. Please contact me using email directly if I can be of any further assistance. 
Saran Neti,
Vulnerability Researcher, Telus Security Labs
Sent from because you indicated interest in <>
To unsubscribe from further messages, please visit <>
Received on 2013-02-11

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET