curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: On memory-leaks as security problems

From: Daniel Stenberg via curl-library <>
Date: Thu, 7 Jan 2021 10:56:27 +0100 (CET)

On Thu, 7 Jan 2021, Kamil Dudka wrote:

>> A) If the memory leak is so large that it is likely to cause a memory
>> related failure in near-term for the application. This would mean in the
>> tens to hundreds of kilobytes, at least.
> (A) is tricky. Desktop applications can survives a few gigabytes of leaked
> memory without having any impact on security while embedded devices can die
> rather quickly.

Yes it is tricky. Also because libcurl is a library and we cannot reasonably
tell exactly how users use it so its hard to judge exactly how a leak affects
applications. A small leak in a function that is called very often will end up
a very big leak very fast.

I think a leak in the area of "hundreds of kilobytes" (without any specific
limit) in a single call is probably large enough to cause significant problems
and would be a security problems.

What if it's a 10K leak in curl_easy_perform() ? I probably wouldn't call that
a security problem. (But I would call it a serious bug!) Yet there are
applications doing thousands (and more) of transfers per second so 10K times
thousands will end up a huge amount of memory in nearly no time...

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2021-01-07