curl / Mailing Lists / curl-library / Single Mail


Re: libcurl leaks information in freed memory

From: Daniel Stenberg via curl-library <>
Date: Fri, 19 Oct 2018 16:15:45 +0200 (CEST)

On Fri, 19 Oct 2018, Gabriel Zachmann wrote:

>> memory before the pointer it returns.
> I attached some code that should be capable of doing so.

If clearing the memory just before free is all that's necessary, I suppose an
alternative option is to link in a malloc replacement that does exactly this.

However, some of that data will then be around during entire transfers for
potentially a very long time already, so I'd question how much such a simple
fix will do (besides adding a lot of overhead).

Also, as has been pointed out, in most cases the sensible data like user names
or passwords are alredy held in memory by the application that passes that
information to libcurl and that application is likely to (in most situations)
hold on to that data for the duration of the transfer. In memory.

Received on 2018-10-19