Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix handling of zero-byte chunk from hyper. #6951

wants to merge 1 commit into from


Copy link

@jsha jsha commented Apr 24, 2021

When curl is built with Hyper, nghttp2, and most TLS backends (other than crustls), it can produce reads from uninitialized memory. This is due to Hyper providing body chunks of length 0, and hyper_body_chunk passing those to Curl_client_write. When Curl_client_write gets a buf with a len of 0, it calls strlen on buf and uses that as the len:


Lines 604 to 620 in f014eec

/* Curl_client_write() sends data to the write callback(s)
The bit pattern defines to what "streams" to write to. Body and/or header.
The defines are in sendf.h of course.
If CURL_DO_LINEEND_CONV is enabled, data is converted IN PLACE to the
local character encoding. This is a problem and should be changed in
the future to leave the original data alone.
CURLcode Curl_client_write(struct Curl_easy *data,
int type,
char *ptr,
size_t len)
struct connectdata *conn = data->conn;
if(0 == len)
len = strlen(ptr);

Fixes hyperium/hyper#2512.

Thanks to @kevinburke for reporting.

Copy link

@kevinburke kevinburke commented Apr 24, 2021

I built this patch locally and confirmed it fixed the issue I reported in hyperium/hyper#2512.


bagder approved these changes Apr 25, 2021
@bagder bagder closed this in 5e7fc49 Apr 25, 2021
Copy link

@bagder bagder commented Apr 25, 2021



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants