cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: crash in libcurl - Symbian

From: Frank McGeough <fmcgeough_at_mac.com>
Date: Sun, 17 May 2009 22:41:55 -0400

After tracing through the code a bit the problem occurs in transfer.c
in :

static CURLcode readwrite_upload(struct SessionHandle *data,
                                  struct connectdata *conn,
                                  struct SingleRequest *k,
                                  int *didwhat)

The local variable bytes_written is set to a value greater than data-
>req.upload_present. The statements where I see the problem are :

     if(data->req.upload_present != bytes_written) {
       /* we only wrote a part of the buffer (if anything), deal with
it! */

       /* store the amount of bytes left in the buffer to write */
       data->req.upload_present -= bytes_written;

The if statement evaluates to true but the code's assumption is that
bytes_written will never be greater than data->req_upload_present.
Still tracing to see why this is not true in my case.

On May 17, 2009, at 6:44 PM, Frank McGeough wrote:

> After getting libcurl to compile for Symbian - Nokia 5th edition SDK
> 1,0 - I began implementing a protocol that sits on top of HTTP/
> HTTPS. Although simple GETs and POSTs work fine. A GET with my own
> headers supplied crashes with a memory overrun down in curlib.
> Perhaps I'm doing something wrong but I've narrowed the code down as
> much as I can and its just not doing that much. Here it is :
>
> void testGetWithHeaders(char* url)
> {
> CURL *curl;
> CURLcode curl_result;
>
> curl = curl_easy_init();
>
> if (curl)
> {
> curl_easy_setopt(curl, CURLOPT_URL, url);
> struct curl_slist *headers=NULL;
> headers = curl_slist_append(headers, "x-mm-clientid: nmm:xyz3.1$oper_at_nok.b71.cyld
> ");
> headers = curl_slist_append(headers, "x-mm-commandid: 2");
> headers = curl_slist_append(headers, "x-mm-cookie:
> NIC=NIC-7668-27");
> headers = curl_slist_append(headers, "x-mm-cookie:
> PIC=PIC-7668-28");
> curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
>
> curl_result = curl_easy_perform(curl);
> curl_easy_cleanup(curl);
> if (curl_result == CURLE_OK)
> {
> std::cout << "OK!" << std::endl;
> }
> else
> {
> // something went wrong - error code is in curl_result
> std::cout << "libcurl error code #" << curl_result <<
> std::endl;
> }
> }
> }
>
> The crash occurs in curl_easy_perform. It looks like after the GET
> returns with the data (the server sends back HTTP/1.1 200 OK), the
> curlib attempts to write a giant amount of data back. This is
> because data->req.upload_present is set to -103. That value gets
> passed in as size_t len in :
>
> CURLcode Curl_write(struct connectdata *conn, curl_socket_t sockfd,
> const void *mem, size_t len, ssize_t *written)
>
> and becomes 4294967188.
>
> If anyone has suggestions to track this down further or some idea of
> something stupid that I'm doing they'd be appreciated. thanks.
Received on 2009-05-18