Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On memory-leaks as security problems
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 7 Jan 2021 08:47:53 -0500
On Thu, Jan 7, 2021 at 8:35 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 7 Jan 2021, Jeffrey Walton wrote:
>
> > Size does not matter. If it's a long running process then there's a risk of
> > resource exhaustion.
>
> Yes, that's what a memory-leak is. The question is rather if that makes
> *every* leak a security problem and if not, which are and which aren't?
>
> The difficulty lies in that grey area between "all" and "none".
All memory leaks can lead to resource exhaustion on platforms that use
managed languages due to the process lifecycle model.
The managed languages load and unload a shared object multiple times
throughout the lifetime of the process.
I guess that means, if cURL can run on a managed platform, then the
potential for resource exhaustion exists, and the memory leak is CVE
worthy.
Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-07
Date: Thu, 7 Jan 2021 08:47:53 -0500
On Thu, Jan 7, 2021 at 8:35 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 7 Jan 2021, Jeffrey Walton wrote:
>
> > Size does not matter. If it's a long running process then there's a risk of
> > resource exhaustion.
>
> Yes, that's what a memory-leak is. The question is rather if that makes
> *every* leak a security problem and if not, which are and which aren't?
>
> The difficulty lies in that grey area between "all" and "none".
All memory leaks can lead to resource exhaustion on platforms that use
managed languages due to the process lifecycle model.
The managed languages load and unload a shared object multiple times
throughout the lifetime of the process.
I guess that means, if cURL can run on a managed platform, then the
potential for resource exhaustion exists, and the memory leak is CVE
worthy.
Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-07