On Wed, 3 Sep 2008, Dan Fandrich wrote:

>> tempwrite is increased by some value and later there is an attempt to
>> free() the memory at increased pointer.
>
> There is also the potential that this defect could cause a remotely
> exploitable security problem (CWE-590). The server has control over the
> contents of the buffer as well as the size of the chunklen. It only apps
> which use the pause mechanism, and probably wouldn't be trivial to exploit,
> but the consequences could be serious.

The chunklen is the amount of data the client has received (or at most 16K per
lap in that code), so it's actually not _directly_ controllable by the server
as it'll depend a lot on the network conditions etc as well.

But of course we should fix that code when we correct the return code check to
avoid all those possible problems! See attachment for my suggested fix.

-- 
  / daniel.haxx.se