Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

[Security] Possible buffer overrun in a debug function

From: Nicolas Went via curl-users <curl-users_at_cool.haxx.se>
Date: Fri, 24 Jul 2020 22:49:29 +0200

Hello,

We are students charged to do a security review of the program curl.

We send this message because we found a possible buffer overrun inside
of a debug function in file tool_main.c:

Here is the code, ligns 102 to 132,

#ifdef CURLDEBUG
static void memory_tracking_init(void)
{
   char *env;
   /* if CURL_MEMDEBUG is set, this starts memory tracking message
logging */
   env = curlx_getenv("CURL_MEMDEBUG");
   if(env) {
     /* use the value as file name */
     char fname[CURL_MT_LOGFNAME_BUFSIZE];
     if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE)
       env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0';
     strcpy(fname, env);
     curl_free(env);
     curl_dbg_memdebug(fname);
     /* this weird stuff here is to make curl_free() get called before
        curl_gdb_memdebug() as otherwise memory tracking will log a free()
        without an alloc! */
   }
   /* if CURL_MEMLIMIT is set, this enables fail-on-alloc-number-N
feature */
   env = curlx_getenv("CURL_MEMLIMIT");
   if(env) {
     char *endptr;
     long num = strtol(env, &endptr, 10);
     if((endptr != env) && (endptr == env + strlen(env)) && (num > 0))
       curl_dbg_memlimit(num);
     curl_free(env);
   }
}
#else
#  define memory_tracking_init() Curl_nop_stmt
#endif

As you can see there is the function strcpy used lign 12 there and lign
113 in the real file.

This function is unsafe to use since it can lead to buffer overruns if
the destination size is smaller than the source size. Which can be the
case there since we copy a string of size depending on the maccro
CURL_MT_LOGFNAME_BUFSIZE, which definition can depend (we found one
equal to 512) and the string env is at destination, which size is not
defined is the manual of curlx_getenv.

And only the case when the size of env is higher than the size of fname
is tested but not the opposit.

We suggest to use strncpy instead of strcpy to ensure safe use.

Since this problem is only located in a debug function, we don't think
that it is legitimate to post it inside of their bounty bug hunter.

Thats why we decided to post in their public mailing list. We hope that
it is the right place to post these kind of problems.

If we are wrong posting there or wrong is our explication, I hope that
you would be indulgent with us :) we are just students.

We hope that this report can contribute to the curl project.

Sincerely,
Nicolas Went
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-07-25