curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: On memory-leaks as security problems

From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 8 Jan 2021 09:58:58 -0500

On Fri, Jan 8, 2021 at 8:23 AM Tomalak Geret'kal via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> > All memory leaks can lead to resource exhaustion on
> > platforms that use
> > managed languages due to the process lifecycle model.
> >
> > The managed languages load and unload a shared object multiple times
> > throughout the lifetime of the process.
> >
> > I guess that means, if cURL can run on a managed platform, then the
> > potential for resource exhaustion exists, and the memory leak is CVE
> > worthy.
>
> Can't say I'm really seeing the relevance of managed
> platforms. Leaks can have impact anywhere. ...

Platforms like Android and Windows Phone behave differently than a
desktop or server. A harmless one-time leak in a desktop or server
becomes a recurring leak on those mobile platforms.

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-08