curl-library
Re: leaks using long hostnames
From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Fri, 7 May 2004 20:50:58 +0200 (CEST)
Date: Fri, 7 May 2004 20:50:58 +0200 (CEST)
On Fri, 7 May 2004, Gisle Vanem wrote:
> But more seriously; the output contains trailing 0x13 codes at end; looks
> like a case of use-after-free. I fail to see why this happens. cur/libcurl
> doesn't have a limit on hostnames, do they?
There's no size-limit in hostnames, no. I found a very stupid URL parsing flaw
I'm stunned we haven't found before:
We ruined the hostname pointer by running over the protocol-buffer with one
zero-byte.
I modified the size of the proto-buffer and make sure we only scan to size-1
bytes of the buffer size to have room for the trailing zero. With this made, I
don't get any memory problems.
Thanks for the report!
-- Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se Dedicated custom curl help for hire: http://haxx.se/curl.htmlReceived on 2004-05-18