cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1262 curl_formadd() with CURLFORM_BUFFERPTR results in invalid read when buffer has no zero bytes

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Sun, 04 Aug 2013 17:42:04 +0000

- **labels**: --> curl_formadd
- **assigned_to**: Daniel Stenberg 

---
** [bugs:#1262] curl_formadd() with CURLFORM_BUFFERPTR results in invalid read when buffer has no zero bytes**
**Status:** open
**Labels:** curl_formadd 
**Created:** Sun Aug 04, 2013 03:57 PM UTC by Konstantin Isakov
**Last Updated:** Sun Aug 04, 2013 03:57 PM UTC
**Owner:** Daniel Stenberg
When the following program is run through valgrind, it states an error:
    
    #include <stdlib.h>
    #include <string.h>
    #include <curl/curl.h>
    
    int main()
    {
      struct curl_httppost * post = NULL;
      struct curl_httppost * last = NULL;
      char * request = malloc( 4096 );
      memset( request, 1, 4096 );
    #ifdef HIDE_BUG
      /* This would make the error go away - apparently strlen() is used on buffer */
      request[ 4095 ] = 0;
    #endif
      curl_formadd( &post, &last,
                    CURLFORM_COPYNAME, "a",
                    CURLFORM_BUFFER, "b",
                    CURLFORM_BUFFERPTR,  request,
                    CURLFORM_BUFFERLENGTH, ( long ) 4096,
                    CURLFORM_END );
      return 0;
    }
$ gcc test.c -lcurl; valgrind ./a.out
    ==18321== Invalid read of size 1
    ==18321==    at 0x4C2B4F4: strlen (mc_replace_strmem.c:390)
    ==18321==    by 0x4E3FF07: curl_formadd (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.3.0)
    ==18321==    by 0x400789: main (in /tmp/a.out)
    ==18321==  Address 0x887c0b0 is 0 bytes after a block of size 4,096 alloc'd
    ==18321==    at 0x4C2ABED: malloc (vg_replace_malloc.c:263)
    ==18321==    by 0x40071B: main (in /tmp/a.out)
$ curl -V
curl 7.31.0 (x86_64-pc-linux-gnu) libcurl/7.31.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2013-08-04

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET