possible buffer overrun in Curl_infof #9149

yiyuaner · 2022-07-13T03:21:05Z

In the file lib/sendf.c, the function Curl_infof has the following code:

void Curl_infof(struct Curl_easy *data, const char *fmt, ...) {
    ...
    size_t len;
    char buffer[MAXINFO + 2];
    len = mvsnprintf(buffer, MAXINFO, fmt, ap);
    buffer[len++] = '\n';
}

Since the function mvsnprintf may return -1 (see the code here), the following buffer access buffer[len++] can trigger a buffer overrun.

Similarly, the code for Curl_failf may trigger buffer overrun too:

void Curl_failf(struct Curl_easy *data, const char *fmt, ...) {
    size_t len;
    char error[CURL_ERROR_SIZE + 2];
    len = mvsnprintf(error, CURL_ERROR_SIZE, fmt, ap);
    error[len++] = '\n';
}

The text was updated successfully, but these errors were encountered:

bagder · 2022-07-13T09:21:14Z

It is indeed an error, but luckily I think dprintf_formatf never actually returns -1 inside libcurl so this error never happens. Should still fix of course.

This function no longer returns a negative value if the formatting string is bad since the return value would sometimes be propagated as a return code from the mprintf* functions and they are documented to return the length of the output. Which cannot be negative. Fixes #9149 Reported-by: yiyuaner on github

bagder self-assigned this Jul 13, 2022

bagder changed the title ~~[Bug] Buffer overrun in Curl_infof~~ possible buffer overrun in Curl_infof Jul 13, 2022

bagder mentioned this issue Jul 13, 2022

mprintf: make dprintf_formatf never return negative #9151

Closed

bagder closed this as completed in 0e48ac1 Jul 17, 2022

possible buffer overrun in Curl_infof #9149

possible buffer overrun in Curl_infof #9149

yiyuaner commented Jul 13, 2022

bagder commented Jul 13, 2022

possible buffer overrun in Curl_infof #9149

possible buffer overrun in Curl_infof #9149

Comments

yiyuaner commented Jul 13, 2022

bagder commented Jul 13, 2022