Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On memory-leaks as security problems
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 8 Jan 2021 09:58:58 -0500
On Fri, Jan 8, 2021 at 8:23 AM Tomalak Geret'kal via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> > All memory leaks can lead to resource exhaustion on
> > platforms that use
> > managed languages due to the process lifecycle model.
> >
> > The managed languages load and unload a shared object multiple times
> > throughout the lifetime of the process.
> >
> > I guess that means, if cURL can run on a managed platform, then the
> > potential for resource exhaustion exists, and the memory leak is CVE
> > worthy.
>
> Can't say I'm really seeing the relevance of managed
> platforms. Leaks can have impact anywhere. ...
Platforms like Android and Windows Phone behave differently than a
desktop or server. A harmless one-time leak in a desktop or server
becomes a recurring leak on those mobile platforms.
Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-08
Date: Fri, 8 Jan 2021 09:58:58 -0500
On Fri, Jan 8, 2021 at 8:23 AM Tomalak Geret'kal via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> > All memory leaks can lead to resource exhaustion on
> > platforms that use
> > managed languages due to the process lifecycle model.
> >
> > The managed languages load and unload a shared object multiple times
> > throughout the lifetime of the process.
> >
> > I guess that means, if cURL can run on a managed platform, then the
> > potential for resource exhaustion exists, and the memory leak is CVE
> > worthy.
>
> Can't say I'm really seeing the relevance of managed
> platforms. Leaks can have impact anywhere. ...
Platforms like Android and Windows Phone behave differently than a
desktop or server. A harmless one-time leak in a desktop or server
becomes a recurring leak on those mobile platforms.
Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-08