mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
http: fix crash in rate-limited upload
- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.
Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
The bug was introduced in 24e469f
which is in releases since 7.76.0.
perl -e "print '0' x 200000" > tmp
curl --limit-rate 128k -d @tmp httpbin.org/post
Reported-by: Richard Marion
Fixes https://github.com/curl/curl/issues/7308
Closes https://github.com/curl/curl/pull/7315
This commit is contained in:
parent
2631722319
commit
ca8893468f
@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer,
|
|||||||
data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
|
data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
|
||||||
|
|
||||||
if(data->set.max_send_speed &&
|
if(data->set.max_send_speed &&
|
||||||
|
(data->set.max_send_speed < (curl_off_t)fullsize) &&
|
||||||
(data->set.max_send_speed < http->postsize))
|
(data->set.max_send_speed < http->postsize))
|
||||||
/* speed limit */
|
/* speed limit */
|
||||||
fullsize = (size_t)data->set.max_send_speed;
|
fullsize = (size_t)data->set.max_send_speed;
|
||||||
|
Loading…
Reference in New Issue
Block a user