Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugs in all curl_set_opt calls with enum arguments as values. #9779

Closed
sergio-nsk opened this issue Oct 21, 2022 · 2 comments
Closed

Bugs in all curl_set_opt calls with enum arguments as values. #9779

sergio-nsk opened this issue Oct 21, 2022 · 2 comments

Comments

@sergio-nsk
Copy link
Contributor

sergio-nsk commented Oct 21, 2022

I did this

Let's consider the example with CURLOPT_SSLVERSION.

The function synopsis

CURLcode curl_easy_setopt(CURL *curl, CURLoption option, ...);

The call semantics

CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLVERSION, long version);

Example

curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

Reading the value (shortened)

  case CURLOPT_SSLVERSION:
      arg = va_arg(param, long);

The issue on all 64 bit OSes except Windows: the enum value CURL_SSLVERSION_TLSv1 promoted to int (32 bit) is used for the call to the variable arg function, the value is read as long (64 bit), a possible buffer over-read vulnerability.

I expected the following

enum values are passed as long values.

curl/libcurl version

libcurl 7.84.0

operating system

Ubuntu 22.04.1, macOS 12.4

@bagder
Copy link
Member

bagder commented Oct 21, 2022

The documentation for this option says:

Pass a long as parameter to control...

A long.

@sergio-nsk
Copy link
Contributor Author

sergio-nsk commented Oct 21, 2022

The documentation for this option says:

Pass a long as parameter to control...

A long.

Right. And the example in the documentation passes int.

bagder added a commit that referenced this issue Oct 21, 2022
@bagder bagder removed the not-a-curl-bug This is not a bug in curl label Oct 21, 2022
@bagder bagder closed this as completed in 873cc38 Oct 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

2 participants