Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Backporting CVE-2022-27774 fixes to older curl
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 28 Dec 2022 23:15:12 +0100 (CET)
On Wed, 28 Dec 2022, Roberto C. Sánchez via curl-library wrote:
> Because the code is somewhat different in the older versions I am targeting,
> I am also trying to implement the associated tests (973-976 in commit
> 5295e8d). However, the tests also make use of some constructs that seem to
> have been introduced fairly recently. As a result of that, I am not able to
> verify my backported patch.
In idea: build the latest curl and its test suite in a separate place, then
you can run test 973-976 using the new build's tests to verify the old curl
version - using runtests.pl's -c option.
> In particular, these two lines in 620ea21 refer to struct members which
> are not present prior to 46620b9:
>
> Curl_safefree(data->state.aptr.user);
> Curl_safefree(data->state.aptr.passwd);
>
> My thought is that in the older versions of curl the same is
> accomplished by this instead:
>
> Curl_safefree(data->set.str[STRING_USERNAME]);
> Curl_safefree(data->set.str[STRING_PASSWORD]);
I don't think so. The strings in the data->set.str[] array are all freed
already. If you run a few tests with valgrind or with curl built with debug,
you can be sure of this as then that you know there are no memory leaks.
I would also recommend running test 973-976 with torture tests [1] to make
sure memory is managed correctly. Something like this:
$ cd tests
$ ./runtests.pl -n -t -c $PATH/src/curl 973 to 976
[1] = https://everything.curl.dev/internals/tests/torture
Date: Wed, 28 Dec 2022 23:15:12 +0100 (CET)
On Wed, 28 Dec 2022, Roberto C. Sánchez via curl-library wrote:
> Because the code is somewhat different in the older versions I am targeting,
> I am also trying to implement the associated tests (973-976 in commit
> 5295e8d). However, the tests also make use of some constructs that seem to
> have been introduced fairly recently. As a result of that, I am not able to
> verify my backported patch.
In idea: build the latest curl and its test suite in a separate place, then
you can run test 973-976 using the new build's tests to verify the old curl
version - using runtests.pl's -c option.
> In particular, these two lines in 620ea21 refer to struct members which
> are not present prior to 46620b9:
>
> Curl_safefree(data->state.aptr.user);
> Curl_safefree(data->state.aptr.passwd);
>
> My thought is that in the older versions of curl the same is
> accomplished by this instead:
>
> Curl_safefree(data->set.str[STRING_USERNAME]);
> Curl_safefree(data->set.str[STRING_PASSWORD]);
I don't think so. The strings in the data->set.str[] array are all freed
already. If you run a few tests with valgrind or with curl built with debug,
you can be sure of this as then that you know there are no memory leaks.
I would also recommend running test 973-976 with torture tests [1] to make
sure memory is managed correctly. Something like this:
$ cd tests
$ ./runtests.pl -n -t -c $PATH/src/curl 973 to 976
[1] = https://everything.curl.dev/internals/tests/torture
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-12-28