curl / Docs / curl CVEs / data callback excessive length

CVE-2010-0734

data callback excessive length

Project curl Security Advisory, February 9th 2010 Permalink

VULNERABILITY

When downloading data, libcurl hands it over to the application using a callback that is registered by the client software. libcurl then calls that function repeatedly with data until the transfer is complete. The callback is documented to receive a maximum data size of 16K (CURL_MAX_WRITE_SIZE).

Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data. When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size. An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability.

This error is only present in zlib-enabled builds of libcurl and only if automatic decompression has been explicitly enabled by the application - it is disabled by default.

We have not found any libcurl client software that is vulnerable to this flaw - but we acknowledge that there may still be vulnerable software in existence.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-0734 to this issue.

CWE-628: Function Call with Incorrectly Specified Arguments

Severity: High

AFFECTED VERSIONS

If you build curl or libcurl to not use zlib or make your app not tell libcurl to do this magic, you are not affected.

Also note that (lib)curl is used by many applications, and not always advertised as such.

SOLUTION

libcurl 7.20.0 makes sure that the length argument in the callback never exceeds the documented max length.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 7.20.0

B - Apply patch and rebuild

C - Disable automatic content encoding decompression in your application

D - Rebuild curl without zlib support

E - change your code to use 4 * CURL_MAX_WRITE_SIZE for buffer sizes

TIMELINE

We were notified on January 9 2010.

We discussed solutions and a first patch was written and tested on January 9.

Vendor-sec was informed on January 10 2010.

curl 7.20.0 was released on February 9 2010, just before this flaw was publicly disclosed.

CREDITS

Thanks a lot!