The parameter `max_pkts` was not checked in the recvmsg() implementation
of vquic_recv_packets() as the packter counter was never increased. This
led to the loop running until an EAGAIN was encountered. Which, in any
real case scenario, does no harm as long as libcurl is ingesting packets
faster than a server is able to send them.
However on a slow device and a fast network this could happen and allow
a denial of serice.
Not a real regression as the vulnerable code has never been released.
libcurl 8.16.0 does not have this bug.
Closes#19186
With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a
key update in TLSv1.3. This had been made non-blocking in
a1850ad7de but the comment warning about a
blocking call was not updated.
Closes#19187
Obtaining the remote ip of the control connection to be used for the
data connection can fail. Check that and fail the transfer when that
does not work.
Triggered by an OSS-Fuzz issue.
Closes#19185
The counter used to stop accepting cookies after a certain amount has
been received in a single response would previously also count some
cookies that were not actually accepted as they were discarded after the
counter was increased.
Starting now, the counter is increased only for cookies that were
accepted.
Pointed out by ZeroPath
Closes#19157
If one of the hmac init calls fail, Curl_HMAC_init previously would
return without first freeing the allocated HMAC_context.
Fixes#19176
Reported-by: WangDaLei on github
Closes#19177
Give ERRNO explanation in a failf() when unable to open a socket.
Helps in finding out what the issue preventing your curl to work
really is. Just had a wrong ulimit after a sys update.
Closes#19158
Before this patch, this code used to call `gss_release_buffer()` on
objects with buffers allocated via curl's allocator.
`gss_release_buffer()` calls system (or Win32) free on these buffers,
which may mismatch with curl's allocator. To fix it, align these calls
with the pattern used in vauth modules, by replacing
`gss_release_buffer()` with curl free to release the buffers.
Use `Curl_safefree()` to set the freed pointer to NULL, as
`gss_release_buffer()` did.
Also: use object length var when allocating.
Reported-by: Joshua Rogers
Closes#19018
No callers of this function checked the return code, meaning failures
are not lethal == using failf was wrong, and it can just as well return
void.
Closes#19137
Unless it is identical to the previous one.
Follow-up to dbcaa00657
Adjusted test 580, added test 772 and 773
Fixes#19130
Reported-by: Jakub Stasiak
Closes#19134
In init_config_builder_verifier() the call to
rustls_root_cert_store_builder_build() set result on failure but did not
return.
Pointed out by ZeroPath
Closes#19125
For all network related protocols there must be a non-blank hostname
used. This change adds a few asserts in some places to make debug/tests
catch mistakes if any such would slip in.
Closes#19146
This function could previously accidentally return true and a NULL path
if only whitespace was provided as argument.
Also, make it stricter and do not allow CR or LF within the string.
Use more strparse parsing.
Drop the comment saying this is from OpenSSH as it has now been
rewritten since then.
Closes#19141
To make sure callers can properly differentiate between errors and know
cleanly when EOF happens. Updated all users and unit test 3200.
Triggered by a remark by ZeroPath
Closes#19140
The code obtained a pointer resp via Curl_bufq_peek(), but called
Curl_bufq_skip() before it would access them in the failf() call.
The Curl_bufq_skip() call can trigger prune_head which may free or
recycle the chunk that resp points into.
Pointed out by ZeroPath
Closes#19139
Use LDAP_OPT_SUCCESS for ldap_get_option, as done in the other calls.
ber_sockbuf_ctrl returns 1 on success so reverse the logic.
Follow-up to f91be14bfbCloses#19138
Adopt ngtcp2_conn_get_stream_user_data which has been available since
ngtcp2 v1.17.0. This improves the time complexity of searching
h3_stream_ctx from O(n) to O(1) where n is the number of stream.
Closes#19132
- Do not leak memory on failed setting algorithm cipher list.
Discovered by ZeroPath.
- Do not free backend->cred after failed AcquireCredentialsHandle.
backend->cred is always freed later, during cleanup.
Closes https://github.com/curl/curl/pull/19118
In providercheck(), when failing to open the "store", the exit path
would not previously free the created UI_METHOD and instead leak this
resource.
Pointed out by ZeroPath
Closes#19114
- tool_formparse: replace truncated `fseek` with `curlx_fseek`.
- tool_operate: replace truncated `fseek` with `curlx_fseek`.
- tool_paramhlp: replace local duplicate `myfseek`, with `curlx_fseek`.
Follow-up to 4fb12f2891#19100Closes#19107
Before this patch system `malloc()`/`free()` were used to allocate
the buffer returned in the `output_token` object from the debug stub
of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in
debug-enabled libcurl builds. This object is later released via stock
`gss_release_buffer()`, which, in the Windows builds of MIT Kerberos,
doesn't use the system `free()`, but the Win32 `HeapFree()`.
Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and
`gssalloc_free()` from `gssapi_alloc.h`.
To make this work without MIT Kerberos feature detection, use a canary
macro to detect a version which installs `gssapi_alloc.h` for Windows.
For <1.15 (2016-11-30) releases, that do not install it, disable the GSS
debug stub in libcurl.
Strictly speaking, non-Windows builds would also need to use GSS
allocators, but, detecting support for `gssapi_alloc.h` is impossible
without build-level logic. Built-level logic is complex and overkill,
and MIT Kerberos, as of 1.22.1, uses standard malloc/free on
non-Windows platforms anyway. (except in GSS debug builds.)
Follow-up to 73840836a5#17752Closes#19064
For files with sizes using an exact multiple of 256 bytes, the final
successful read(s) filled the buffer(s) and the subsequent fread
returned 0 for EOF, which caused read_file_into to fail.
Now, it needs to return 0 and not be EOF to be an error.
Follow-up to dd95a49d49
Pointed out by ZeroPath
Closes#19104
Avoid the possible 64-bit offset truncation when used on systems with
small 'long', like Windows.
bonus: make mime_open_file() return bool
Pointed out by ZeroPath
Closes#19100
