cURL / Mailing Lists / curl-library / Single Mail

curl-library

Potential buffer overflow in version.c

From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Wed, 15 Aug 2007 16:21:47 +0200

 
In curl_version(), the code:

strcpy(ptr, LIBCURL_NAME "/" LIBCURL_VERSION );
ptr=strchr(ptr, '\0');
left -= strlen(ptr);

is supposed to add the copied length to the pointer, and subtract it
from the byte count left.

In fact, the byte count left is never updated, because strlen() measures
the string AFTER pointer update --> strlen() always returns 0.

This bug does not seem to allow an external attack, since buffer filling
is only made from internal data.

The attached patch fixes this bug.

Received on 2007-08-15