cURL / Mailing Lists / curl-library / Single Mail

curl-library

Incorrect size passed to the writer function set by CURLOPT_WRITEFUNCTION

From: Rashmi <rashmi.mg_at_gmail.com>
Date: Tue, 13 May 2014 20:46:08 +0530

We have an issue with the response copied to the user buffer by the writer
function specified with the CURLOPT_WRITEFUNCTION. It appears that the
pointer passed to the writer function is offset by two bytes from the
actual start of the response but the size is not decremented.

Snippet from the code:
size_t write_data(void *contents, size_t size, size_t nmemb, void *userp)
{
char* ptr = (char*)contents;
cout << "Buffer at source :" <<endl;
for (int i=0;i < (size* nmemb);i++ )
cout<<*(ptr+i);

  ((std::string*)userp)->append((char*)contents, size * nmemb);
  cout<<"Size : "<<size<<" nmemb: "<<nmemb<<endl;
  return size * nmemb;
}

int main()
{
std::string outbuf;
vector <string> header;

  header.push_back("Content-Type: application/xml; charset=\"utf-8\"");
  header.push_back("CIMOperation: MethodCall");
  header.push_back("CIMMethod: sample_method");

string xmlString("dummy xml string");

  CURLcode ret = CURLE_FAILED_INIT;
  CURL *hnd = curl_easy_init();
  if(NULL != hnd) {
        curl_slist *headerArray = NULL;
        //Append the custom headers to curl_slist structure
        for(int i=0; i < header.size(); ++i) {
                headerArray =
curl_slist_append(headerArray,header[i].c_str());
        }
        curl_easy_setopt(hnd, CURLOPT_URL,"https://abc.xyz.com:123/cimom");
        curl_easy_setopt(hnd, CURLOPT_HEADER, 1);
        curl_easy_setopt(hnd, CURLOPT_PROXY, NULL);
        curl_easy_setopt(hnd, CURLOPT_WRITEFUNCTION, write_data);
        curl_easy_setopt(hnd, CURLOPT_WRITEDATA,&outbuf);
        curl_easy_setopt(hnd, CURLOPT_POST, 1);
        curl_easy_setopt(hnd, CURLOPT_TIMEOUT, 120);
        curl_easy_setopt(hnd, CURLOPT_UNRESTRICTED_AUTH, 1);
        curl_easy_setopt(hnd, CURLOPT_POSTFIELDS,xmlString.c_str());
        curl_easy_setopt(hnd, CURLOPT_POSTFIELDSIZE, xmlString.size());
        curl_easy_setopt(hnd, CURLOPT_SSLCERT,"/etc/apache/server.crt" );
        curl_easy_setopt(hnd, CURLOPT_SSLCERTTYPE, "PEM");
        curl_easy_setopt(hnd, CURLOPT_SSLKEY, "/etc/apache/server.key");
        curl_easy_setopt(hnd, CURLOPT_SSH_PRIVATE_KEYFILE,
"/etc/apache/server.crt");
        curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYHOST, 0);
        curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1);
        curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headerArray);
        curl_easy_setopt(hnd, CURLOPT_NOSIGNAL, 1);

    ret = curl_easy_perform(hnd);
        curl_slist_free_all(headerArray);
        curl_easy_cleanup(hnd);
  }
  return 0;
}

Sample output:

< HTTP/1.1 401 Unauthorized
Buffer at source :
HTTP/1.1 401 Unauthorized
Size : 1 nmemb: 27

This is resulting in a buffer out-of-bounds access. I need help to identify
if there is anything wrong in the usage of the CURLOPT_WRITEFUNCTION
function or this is a known issue?

Thanks in advance for your help!

Regards
Rashmi

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-05-13

This message: [ Message body ]
Next message: Patrick Monnerat: "RE: Incorrect size passed to the writer function set by CURLOPT_WRITEFUNCTION"
Previous message: Kamil Dudka: "Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"
Next in thread: Patrick Monnerat: "RE: Incorrect size passed to the writer function set by CURLOPT_WRITEFUNCTION"
Reply: Patrick Monnerat: "RE: Incorrect size passed to the writer function set by CURLOPT_WRITEFUNCTION"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]