cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3413274 ] Bounds checking for FD_SET() in curl_multi_fdset()

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Sun, 25 Sep 2011 17:38:43 +0200

Bugs item #3413274, was opened at 2011-09-23 13:11
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3413274&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: crash
>Status: Closed
>Resolution: Fixed
Priority: 7
>Private: No
Submitted By: Tim Starling (timstarling)
Assigned to: Daniel Stenberg (bagder)
Summary: Bounds checking for FD_SET() in curl_multi_fdset()

Initial Comment:
fd_set is implemented as a bitfield with FD_SETSIZE (typically 1024) bits in it. FD_SET() is a macro which sets bits in it, and at least on Linux, the macro does not have any bounds checking. That means that if curl uses FDs with numbers over 1024, calling curl_multi_fdset() will cause the bitfield to overflow, potentially destroying the caller's stack.

lib/select.c does this correctly, with a bounds checking macro, but lib/multi.c does not. I've confirmed a crash on libcurl 7.21.3.

In the worst case, this may lead to an arbitrary execution vulnerability if the calling app has a sandboxed scripting environment and untrusted scripts are allowed. So I'm checking the "private" box to be on the safe side.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2011-09-25 17:38

Message:
Thanks for the report. We find the risk of exploitation of this bug very
minimal, while we don't consider it to be security related.

commit 2d6796aac51d was just pushed to git which introduces this boundary
check, and I added a paragraph to the man page about it

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2011-09-24 22:30

Message:
Thanks for your report. This is clearly a bug, and I'll discuss with the
guys on curl-security on how to treat its security level. I'll leave it as
private for now.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3413274&group_id=976
Received on 2011-09-25

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET