cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl_easy_pause bugs

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Wed, 3 Sep 2008 13:44:33 -0700

On Wed, Sep 03, 2008 at 05:46:22PM +0700, Dmitriy Sergeyev wrote:
> Ironically this typo causes to not to run another bug when
> write-callback succeed. Here is the suspicious sequence, starting from
> 878 line:
> ====
> else {
> tempsize -= chunklen; /* left after the call above */
> tempwrite += chunklen; /* advance the pointer */
> }
>
> } while((result == CURLE_OK) && tempsize);
>
> free(tempwrite); /* this is unconditionally no longer used */
> ====
> tempwrite is increased by some value and later there is an attempt to
> free() the memory at increased pointer.

There is also the potential that this defect could cause a remotely
exploitable security problem (CWE-590). The server has control over the
contents of the buffer as well as the size of the chunklen. It only
apps which use the pause mechanism, and probably wouldn't be trivial to
exploit, but the consequences could be serious.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved
Received on 2008-09-03