curl-library
Error buffer overflow
Date: Sat, 25 Oct 2003 22:34:02 +0100
I've found that buffer set by CURLOPT_ERRORBUFFER may be written to one byte
more than CURL_ERROR_SIZE. The documentation states "The buffer must be at
least CURL_ERROR_SIZE big", which I interpret as meaning that a buffer of
size CURL_ERROR_SIZE is acceptable. The overflow occurs when you attempt to
access a local file with a very long name which doesn't exist.
There are two different places in libcurl which may overflow. If the URL is
exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is set,
then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line 160).
(The 13 is for "Couldn't open file ".)
If the URL is anything longer then curl_mvsnprintf() writes a 0 at the same
position (line 994). I think this is different behaviour from usual
vsnprintf().
A test case is attached. Comment out line 18 to get the second case.
James
-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
- text/x-csrc attachment: curlbug.c