cURL / Mailing Lists / curl-library / Single Mail


Incorrect size passed to the writer function set by CURLOPT_WRITEFUNCTION

From: Rashmi <>
Date: Tue, 13 May 2014 20:46:08 +0530

We have an issue with the response copied to the user buffer by the writer
function specified with the CURLOPT_WRITEFUNCTION. It appears that the
pointer passed to the writer function is offset by two bytes from the
actual start of the response but the size is not decremented.

Snippet from the code:
size_t write_data(void *contents, size_t size, size_t nmemb, void *userp)
  char* ptr = (char*)contents;
cout << "Buffer at source :" <<endl;
for (int i=0;i < (size* nmemb);i++ )

  ((std::string*)userp)->append((char*)contents, size * nmemb);
  cout<<"Size : "<<size<<" nmemb: "<<nmemb<<endl;
  return size * nmemb;

int main()
 std::string outbuf;
 vector <string> header;

  header.push_back("Content-Type: application/xml; charset=\"utf-8\"");
  header.push_back("CIMOperation: MethodCall");
  header.push_back("CIMMethod: sample_method");

  string xmlString("dummy xml string");

  CURL *hnd = curl_easy_init();
  if(NULL != hnd) {
        curl_slist *headerArray = NULL;
        //Append the custom headers to curl_slist structure
        for(int i=0; i < header.size(); ++i) {
                headerArray =
        curl_easy_setopt(hnd, CURLOPT_URL,"");
        curl_easy_setopt(hnd, CURLOPT_HEADER, 1);
        curl_easy_setopt(hnd, CURLOPT_PROXY, NULL);
        curl_easy_setopt(hnd, CURLOPT_WRITEFUNCTION, write_data);
        curl_easy_setopt(hnd, CURLOPT_WRITEDATA,&outbuf);
        curl_easy_setopt(hnd, CURLOPT_POST, 1);
        curl_easy_setopt(hnd, CURLOPT_TIMEOUT, 120);
        curl_easy_setopt(hnd, CURLOPT_UNRESTRICTED_AUTH, 1);
        curl_easy_setopt(hnd, CURLOPT_POSTFIELDS,xmlString.c_str());
        curl_easy_setopt(hnd, CURLOPT_POSTFIELDSIZE, xmlString.size());
        curl_easy_setopt(hnd, CURLOPT_SSLCERT,"/etc/apache/server.crt" );
        curl_easy_setopt(hnd, CURLOPT_SSLCERTTYPE, "PEM");
        curl_easy_setopt(hnd, CURLOPT_SSLKEY, "/etc/apache/server.key");
        curl_easy_setopt(hnd, CURLOPT_SSH_PRIVATE_KEYFILE,
        curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYHOST, 0);
        curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1);
        curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headerArray);
        curl_easy_setopt(hnd, CURLOPT_NOSIGNAL, 1);

    ret = curl_easy_perform(hnd);
  return 0;

Sample output:

< HTTP/1.1 401 Unauthorized
Buffer at source :
HTTP/1.1 401 Unauthorized
Size : 1 nmemb: 27

This is resulting in a buffer out-of-bounds access. I need help to identify
if there is anything wrong in the usage of the CURLOPT_WRITEFUNCTION
function or this is a known issue?

Thanks in advance for your help!


List admin:
Received on 2014-05-13