Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On memory-leaks as security problems
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 7 Jan 2021 10:56:27 +0100 (CET)
On Thu, 7 Jan 2021, Kamil Dudka wrote:
>> A) If the memory leak is so large that it is likely to cause a memory
>> related failure in near-term for the application. This would mean in the
>> tens to hundreds of kilobytes, at least.
>
> (A) is tricky. Desktop applications can survives a few gigabytes of leaked
> memory without having any impact on security while embedded devices can die
> rather quickly.
Yes it is tricky. Also because libcurl is a library and we cannot reasonably
tell exactly how users use it so its hard to judge exactly how a leak affects
applications. A small leak in a function that is called very often will end up
a very big leak very fast.
I think a leak in the area of "hundreds of kilobytes" (without any specific
limit) in a single call is probably large enough to cause significant problems
and would be a security problems.
What if it's a 10K leak in curl_easy_perform() ? I probably wouldn't call that
a security problem. (But I would call it a serious bug!) Yet there are
applications doing thousands (and more) of transfers per second so 10K times
thousands will end up a huge amount of memory in nearly no time...
Date: Thu, 7 Jan 2021 10:56:27 +0100 (CET)
On Thu, 7 Jan 2021, Kamil Dudka wrote:
>> A) If the memory leak is so large that it is likely to cause a memory
>> related failure in near-term for the application. This would mean in the
>> tens to hundreds of kilobytes, at least.
>
> (A) is tricky. Desktop applications can survives a few gigabytes of leaked
> memory without having any impact on security while embedded devices can die
> rather quickly.
Yes it is tricky. Also because libcurl is a library and we cannot reasonably
tell exactly how users use it so its hard to judge exactly how a leak affects
applications. A small leak in a function that is called very often will end up
a very big leak very fast.
I think a leak in the area of "hundreds of kilobytes" (without any specific
limit) in a single call is probably large enough to cause significant problems
and would be a security problems.
What if it's a 10K leak in curl_easy_perform() ? I probably wouldn't call that
a security problem. (But I would call it a serious bug!) Yet there are
applications doing thousands (and more) of transfers per second so 10K times
thousands will end up a huge amount of memory in nearly no time...
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-01-07