Email related examples use CURLOPT_READFUNCTION callback with bad coding practices #7330
Labels
Comments
bagder
added a commit
that referenced
this issue
Jul 1, 2021
The same callback code is used in: imap-append.c smtp-authzid.c smtp-mail.c smtp-multi.c smtp-ssl.c smtp-tls.c It should not assume that it can copy full lines into the buffer as it will encourage sloppy coding practices. Instead use byte-wise logic and check/acknowledge the buffer size appropriately. Reported-by: Harry Sintonen Fixes #7330
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem description
The
CURLOPT_READFUNCTIONfunctionpayload_sourceused in many SMTP/IMAP examples depend on the specific implementation details of the libcurl. Thepayload_sourcefunction assumes that a single large enough call to the function will be made, and that the read is large enough to fit the whole line. This directly contradicts whatCURLOPT_READFUNCTIONAPI documentation says you should do:The data area pointed at by the pointer buffer should be filled up with at most size multiplied with nitems number of bytes by your function.While libcurl might be calling the callback in a way that makes these examples work for now, if the call pattern ever changes the example apps may cease to work or even start crashing due to buffer overflow. Even if no such change happens, the example apps should try to be as correct as possible to not proliferate incorrect and/or unsafe API usage.
I expected the following
The example app implementing
CURLOPT_READFUNCTIONas documented: return maximum size * nmemb bytes and keep track of the "read" position.curl/libcurl version
git HEAD
operating system
N/A
The text was updated successfully, but these errors were encountered: