Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix handling of zero-byte chunk from hyper. #6951

Closed
wants to merge 1 commit into from

Conversation

@jsha
Copy link
Contributor

@jsha jsha commented Apr 24, 2021

When curl is built with Hyper, nghttp2, and most TLS backends (other than crustls), it can produce reads from uninitialized memory. This is due to Hyper providing body chunks of length 0, and hyper_body_chunk passing those to Curl_client_write. When Curl_client_write gets a buf with a len of 0, it calls strlen on buf and uses that as the len:

curl/lib/sendf.c

Lines 604 to 620 in f014eec

/* Curl_client_write() sends data to the write callback(s)
The bit pattern defines to what "streams" to write to. Body and/or header.
The defines are in sendf.h of course.
If CURL_DO_LINEEND_CONV is enabled, data is converted IN PLACE to the
local character encoding. This is a problem and should be changed in
the future to leave the original data alone.
*/
CURLcode Curl_client_write(struct Curl_easy *data,
int type,
char *ptr,
size_t len)
{
struct connectdata *conn = data->conn;
if(0 == len)
len = strlen(ptr);
.

Fixes hyperium/hyper#2512.

Thanks to @kevinburke for reporting.

@kevinburke
Copy link
Contributor

@kevinburke kevinburke commented Apr 24, 2021

I built this patch locally and confirmed it fixed the issue I reported in hyperium/hyper#2512.

Loading

bagder
bagder approved these changes Apr 25, 2021
@bagder bagder closed this in 5e7fc49 Apr 25, 2021
@bagder
Copy link
Member

@bagder bagder commented Apr 25, 2021

thanks!

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants