cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Error buffer overflow

From: James Bursa <bursa_at_users.sourceforge.net>
Date: Sun, 26 Oct 2003 19:35:06 +0000

On Sunday 26 October 2003 15:41, Daniel Stenberg wrote:
> On Sat, 25 Oct 2003, James Bursa wrote:
> > There are two different places in libcurl which may overflow. If the URL
> > is exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is
> > set, then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line
> > 160). (The 13 is for "Couldn't open file ".)
>
> Thanks!
>
> It is amazing that this bug has been around for so many years without
> anyone ever noticing before.
>
> Well done, James! A fix was committed to CVS a few moments ago.

I'm still getting the first bug (in Curl_failf) here. This fixes it:

diff -d -u -3 -r1.69 sendf.c
--- lib/sendf.c 19 Oct 2003 17:38:52 -0000 1.69
+++ lib/sendf.c 26 Oct 2003 19:33:35 -0000
@@ -154,7 +154,7 @@
     if(data->set.verbose) {
       int len = strlen(data->set.errorbuffer);
       bool doneit=FALSE;
- if(len < CURL_ERROR_SIZE) {
+ if(len < CURL_ERROR_SIZE - 1) {
         doneit = TRUE;
         data->set.errorbuffer[len] = '\n';
         data->set.errorbuffer[++len] = '\0';

James

-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
Received on 2003-10-26