Skip to content

transfer: clear the URL pointer in OOM to avoid UAF#21123

Closed
bagder wants to merge 1 commit intomasterfrom
bagder/transfer-url-uaf
Closed

transfer: clear the URL pointer in OOM to avoid UAF#21123
bagder wants to merge 1 commit intomasterfrom
bagder/transfer-url-uaf

Conversation

@bagder
Copy link
Copy Markdown
Member

@bagder bagder commented Mar 27, 2026

Since the pointer can be extracted with CURLINFO_EFFECTIVE_URL later it must not linger pointing to freed memory.

Founde by Codex Security

@bagder
transfer: clear the URL pointer in OOM to avoid UAF
2343f58 
Since the pointer can be extracted with CURLINFO_EFFECTIVE_URL later it
must not linger pointing to freed memory.

Founde by Codex Security
@testclutch
Copy link
Copy Markdown

testclutch commented Mar 27, 2026

Analysis of PR #21123 at 2343f58f:

Test 1350 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 2 different CI jobs (the link just goes to one of them).

Generated by Testclutch

@bagder bagder requested a review from Copilot March 27, 2026 14:35
@bagder bagder marked this pull request as ready for review March 27, 2026 14:35
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a potential use-after-free where data->state.url could continue to reference a freed URL string if curl_url_get() fails while CURLOPT_CURLU is in use, making later CURLINFO_EFFECTIVE_URL queries unsafe.

Changes:

  • Clear data->state.url when curl_url_get(..., CURLUPART_URL, ...) fails in Curl_pretransfer() to avoid dangling pointers.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/transfer.c
Comment thread lib/transfer.c
@bagder bagder closed this in 86b39c2 Mar 27, 2026
@bagder bagder deleted the bagder/transfer-url-uaf branch March 27, 2026 14:56
dkarpov1970 pushed a commit to dkarpov1970/curl that referenced this pull request Apr 7, 2026
@bagder
transfer: clear the URL pointer in OOM to avoid UAF
f414af6 
Since the pointer can be extracted with CURLINFO_EFFECTIVE_URL later it
must not linger pointing to freed memory.

Found by Codex Security

Closes curl#21123
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @testclutch