Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

possible buffer overrun in Curl_infof #9149

Closed
yiyuaner opened this issue Jul 13, 2022 · 1 comment
Closed

possible buffer overrun in Curl_infof #9149

yiyuaner opened this issue Jul 13, 2022 · 1 comment
Assignees

Comments

@yiyuaner
Copy link

In the file lib/sendf.c, the function Curl_infof has the following code:

void Curl_infof(struct Curl_easy *data, const char *fmt, ...) {
    ...
    size_t len;
    char buffer[MAXINFO + 2];
    len = mvsnprintf(buffer, MAXINFO, fmt, ap);
    buffer[len++] = '\n';
}

Since the function mvsnprintf may return -1 (see the code here), the following buffer access buffer[len++] can trigger a buffer overrun.

Similarly, the code for Curl_failf may trigger buffer overrun too:

void Curl_failf(struct Curl_easy *data, const char *fmt, ...) {
    size_t len;
    char error[CURL_ERROR_SIZE + 2];
    len = mvsnprintf(error, CURL_ERROR_SIZE, fmt, ap);
    error[len++] = '\n';
}
@bagder
Copy link
Member

bagder commented Jul 13, 2022

It is indeed an error, but luckily I think dprintf_formatf never actually returns -1 inside libcurl so this error never happens. Should still fix of course.

@bagder bagder self-assigned this Jul 13, 2022
@bagder bagder changed the title [Bug] Buffer overrun in Curl_infof possible buffer overrun in Curl_infof Jul 13, 2022
bagder added a commit that referenced this issue Jul 13, 2022
This function no longer returns a negative value if the formatting
string is bad since the return value would sometimes be propagated as a
return code from the mprintf* functions and they are documented to
return the length of the output. Which cannot be negative.

Fixes #9149
Reported-by: yiyuaner on github
@bagder bagder closed this as completed in 0e48ac1 Jul 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants