From 956e1ae84f2fec9f027b4ce80999744326b30992 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 24 Feb 2026 11:01:35 +0100
Subject: [PATCH] setopt: refuse blobs with zero length

A blob must have a length or it will not be accepted. By enforcing the
check here, TLS backend code can rely on the fact that the length is
always non-zero from this point.

Reported-by: aisle-research-bot
URL: https://github.com/curl/curl/pull/20689#pullrequestreview-3846390367
Closes #20705
---
 lib/setopt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/setopt.c b/lib/setopt.c
index 604c9cbc4c..5d5da804d4 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -107,7 +107,7 @@ CURLcode Curl_setblobopt(struct curl_blob **blobp,
 
   if(blob) {
     struct curl_blob *nblob;
-    if(blob->len > CURL_MAX_INPUT_LENGTH)
+    if(!blob->len || (blob->len > CURL_MAX_INPUT_LENGTH))
       return CURLE_BAD_FUNCTION_ARGUMENT;
     nblob = (struct curl_blob *)
       curlx_malloc(sizeof(struct curl_blob) +