- David Bau filed bug report #2026240 "CURL_READFUNC_PAUSE leads to buffer

overrun" (http://curl.haxx.se/bug/view.cgi?id=2026240) identifying two
  problems, and providing the fix for them:

  - CURL_READFUNC_PAUSE did in fact not pause the _sending_ of data that it is
    designed for but paused _receiving_ of data!

  - libcurl didn't internally set the read counter to zero when this return
    code was detected, which would potentially lead to junk getting sent to
    the server.

CHANGES

@@ -6,6 +6,18 @@
 
                                   Changelog
 
+Daniel Stenberg (26 Jul 2008)
+- David Bau filed bug report #2026240 "CURL_READFUNC_PAUSE leads to buffer
+  overrun" (http://curl.haxx.se/bug/view.cgi?id=2026240) identifying two
+  problems, and providing the fix for them:
+
+  - CURL_READFUNC_PAUSE did in fact not pause the _sending_ of data that it is
+    designed for but paused _receiving_ of data!
+
+  - libcurl didn't internally set the read counter to zero when this return
+    code was detected, which would potentially lead to junk getting sent to
+    the server.
+
 Daniel Fandrich (26 Jul 2008)
 - Added test 1044 to test large file support in ftp with -I.
 

RELEASE-NOTES

@@ -34,6 +34,7 @@ This release includes the following bugfixes:
  o c-ares powered libcurls can resolve/use IPv6 addresses
  o poll not working on Windows Vista due to POLLPRI being incorrectly used
  o user-agent in CONNECT with non-HTTP protocols
+ o CURL_READFUNC_PAUSE problems fixed
 
 This release includes the following known bugs:
 
@@ -54,7 +55,7 @@ advice from friends like these:
  Rob Crittenden, Dengminwen, Christopher Palow, Hans-Jurgen May,
  Phil Pellouchoud, Eduard Bloch, John Lightsey, Stephen Collyer, Tor Arntsen,
  Rolland Dudemaine, Phil Blundell, Scott Barrett, Andreas Schuldei,
- Peter Lamberg
+ Peter Lamberg, David Bau
 
 
         Thanks! (and sorry if I forgot to mention someone)

lib/transfer.c

@@ -132,16 +132,21 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, int bytes, int *nreadp)
 
   if(nread == CURL_READFUNC_ABORT) {
     failf(data, "operation aborted by callback");
+    *nreadp = 0;
     return CURLE_ABORTED_BY_CALLBACK;
   }
   else if(nread == CURL_READFUNC_PAUSE) {
     struct SingleRequest *k = &data->req;
-    k->keepon |= KEEP_READ_PAUSE; /* mark reading as paused */
+    /* CURL_READFUNC_PAUSE pauses read callbacks that feed socket writes */
+    k->keepon |= KEEP_WRITE_PAUSE; /* mark socket send as paused */
+    *nreadp = 0;
     return CURLE_OK; /* nothing was read */
   }
-  else if((size_t)nread > buffersize)
+  else if((size_t)nread > buffersize) {
     /* the read function returned a too large value */
+    *nreadp = 0;
     return CURLE_READ_ERROR;
+  }
 
   if(!data->req.forbidchunk && data->req.upload_chunky) {
     /* if chunked Transfer-Encoding */
@@ -1464,7 +1469,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
         else
           nread = 0; /* we're done uploading/reading */
 
-        if(!nread && (k->keepon & KEEP_READ_PAUSE)) {
+        if(!nread && (k->keepon & KEEP_WRITE_PAUSE)) {
           /* this is a paused transfer */
           break;
         }