-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap corruption after reusing CURL handle for which buffer size was changed #4143
Comments
- In curl_easy_reset attempt to resize the receive buffer to its default size. If realloc fails then continue using the previous size. Prior to this change curl_easy_reset did not properly handle resetting the receive buffer (data->state.buffer). It reset the variable holding its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) but then did not actually resize the buffer. If a user resized the buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the default, later called curl_easy_reset and attempted to reuse the handle then a heap overflow would very likely occur during that handle's next transfer. Reported-by: Felix Hädicke Fixes curl#4143 Closes #xxxx
It's a bug see #4145 for the fix. How it happens: curl_easy_init (Curl_open) initializes data->state.buffer to READBUFFER_SIZE + 1 and then calls Curl_init_userdefined which sets data->set.buffer_size to READBUFFER_SIZE. Lines 593 to 605 in aa73eb4
Line 542 in aa73eb4
CURLOPT_BUFFERSIZE changes the size: Lines 2006 to 2016 in aa73eb4
curl_easy_reset calls Curl_init_userdefined which data->set.buffer_size to READBUFFER_SIZE: Line 542 in aa73eb4
curl_easy_reset does not resize the buffer, which is the bug. |
I did this
After this, the heap memory of my application is corrupted.
curl/libcurl version
23c99f6
curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.1.1c zlib/1.2.11 libssh/0.8.7/openssl/zlib
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP TrackMemory UnixSockets
operating system
Debian GNU/Linux 10
example code
The following program shows this issue. Most of the time, it crashes with a segmentation fault in the second curl_easy_perform() call.
See valgrind output for this example:
curl-heap-corruption-valgrind.txt
The text was updated successfully, but these errors were encountered: