Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

CURLOPT_TIMEOUT - INT_MAX/1000

From: Hölzl, Dominik <Dominik.Hoelzl_at_fabasoft.com>
Date: Mon, 11 Dec 2017 14:08:02 +0000

Hello!

I have a question about CURLOPT_TIMEOUT and the maximum configurable value:

The check is about

  case CURLOPT_TIMEOUT:
    /*
     * The maximum time you allow curl to use for a single transfer
     * operation.
     */
    arg = va_arg(param, long);
    if((arg >= 0) && (arg < (INT_MAX/1000)))
      data->set.timeout = arg * 1000;
    else
      return CURLE_BAD_FUNCTION_ARGUMENT;
    break;

so configuring a value with INT_MAX/1000 would lead to CURLE_BAD_FUNCTION_ARGUMENT.

Shouldn't be the check like

    if((arg >= 0) && (arg <= (INT_MAX/1000)))

?

(INT_MAX/1000) * 1000 wouldn't exceed INT_MAX.

When using CURLOPT_TIMEOUT_MS there is no upper bounds check, so setting CURLOPT_TIMEOUT_MS to INT_MAX would succeed.

Regards,
Dominik

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-11