curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: On memory-leaks as security problems

From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 7 Jan 2021 08:47:53 -0500

On Thu, Jan 7, 2021 at 8:35 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 7 Jan 2021, Jeffrey Walton wrote:
>
> > Size does not matter. If it's a long running process then there's a risk of
> > resource exhaustion.
>
> Yes, that's what a memory-leak is. The question is rather if that makes
> *every* leak a security problem and if not, which are and which aren't?
>
> The difficulty lies in that grey area between "all" and "none".

All memory leaks can lead to resource exhaustion on platforms that use
managed languages due to the process lifecycle model.

The managed languages load and unload a shared object multiple times
throughout the lifetime of the process.

I guess that means, if cURL can run on a managed platform, then the
potential for resource exhaustion exists, and the memory leak is CVE
worthy.

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-07