cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: leaks using long hostnames

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Fri, 7 May 2004 20:50:58 +0200 (CEST)

On Fri, 7 May 2004, Gisle Vanem wrote:

> But more seriously; the output contains trailing 0x13 codes at end; looks
> like a case of use-after-free. I fail to see why this happens. cur/libcurl
> doesn't have a limit on hostnames, do they?

There's no size-limit in hostnames, no. I found a very stupid URL parsing flaw
I'm stunned we haven't found before:

We ruined the hostname pointer by running over the protocol-buffer with one
zero-byte.

I modified the size of the proto-buffer and make sure we only scan to size-1
bytes of the buffer size to have room for the trailing zero. With this made, I
don't get any memory problems.

Thanks for the report!

-- 
     Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
      Dedicated custom curl help for hire: http://haxx.se/curl.html

Received on 2004-05-18

This message: [ Message body ]
Next message: Gisle Vanem: "connect error reporting"
Previous message: Gisle Vanem: "Re: leaks using long hostnames"
In reply to: Gisle Vanem: "leaks using long hostnames"
Next in thread: Gisle Vanem: "Re: leaks using long hostnames"
Reply: Gisle Vanem: "Re: leaks using long hostnames"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]