1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 16:18:48 -05:00

http: fix crash in rate-limited upload

- Don't set the size of the piece of data to send to the rate limit if
  that limit is larger than the buffer size that will hold the piece.

Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).

The bug was introduced in 24e469f which is in releases since 7.76.0.

perl -e "print '0' x 200000" > tmp
curl --limit-rate 128k -d @tmp httpbin.org/post

Reported-by: Richard Marion

Fixes https://github.com/curl/curl/issues/7308
Closes https://github.com/curl/curl/pull/7315
This commit is contained in:
Jay Satiro 2021-06-29 11:43:35 -04:00
parent 2631722319
commit ca8893468f

View File

@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer,
data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE; data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
if(data->set.max_send_speed && if(data->set.max_send_speed &&
(data->set.max_send_speed < (curl_off_t)fullsize) &&
(data->set.max_send_speed < http->postsize)) (data->set.max_send_speed < http->postsize))
/* speed limit */ /* speed limit */
fullsize = (size_t)data->set.max_send_speed; fullsize = (size_t)data->set.max_send_speed;