Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix handling of zero-byte chunk from hyper. #6951

wants to merge 1 commit into from


Copy link

@jsha jsha commented Apr 24, 2021

When curl is built with Hyper, nghttp2, and most TLS backends (other than crustls), it can produce reads from uninitialized memory. This is due to Hyper providing body chunks of length 0, and hyper_body_chunk passing those to Curl_client_write. When Curl_client_write gets a buf with a len of 0, it calls strlen on buf and uses that as the len:


Lines 604 to 620 in f014eec

/* Curl_client_write() sends data to the write callback(s)
The bit pattern defines to what "streams" to write to. Body and/or header.
The defines are in sendf.h of course.
If CURL_DO_LINEEND_CONV is enabled, data is converted IN PLACE to the
local character encoding. This is a problem and should be changed in
the future to leave the original data alone.
CURLcode Curl_client_write(struct Curl_easy *data,
int type,
char *ptr,
size_t len)
struct connectdata *conn = data->conn;
if(0 == len)
len = strlen(ptr);

Fixes hyperium/hyper#2512.

Thanks to @kevinburke for reporting.

Copy link

I built this patch locally and confirmed it fixed the issue I reported in hyperium/hyper#2512.

@bagder bagder closed this in 5e7fc49 Apr 25, 2021
Copy link

bagder commented Apr 25, 2021


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

uninitialized memory being printed after end of HTTP response
3 participants