diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2016-10-08 12:50:42 +0200 |
|---|---|---|
| committer | ng0 <ng0@infotropique.org> | 2017-08-22 15:09:23 +0000 |
| commit | b1bf48f8827bd9d7c49d4ce5b4c77e62d8e88082 (patch) | |
| tree | e754d3b08f3fdead97d2733aa86ac9cc5b9a03d9 /lib/formdata.c | |
| parent | 0e7102b7b47f862d29fd0a96785ec7c8e56aa383 (diff) | |
| download | gnurl-b1bf48f8827bd9d7c49d4ce5b4c77e62d8e88082.tar.gz gnurl-b1bf48f8827bd9d7c49d4ce5b4c77e62d8e88082.tar.bz2 gnurl-b1bf48f8827bd9d7c49d4ce5b4c77e62d8e88082.zip | |
formpost: avoid silent snprintf() truncation
The previous use of snprintf() could make libcurl silently truncate some
input data and not report that back on overly large input, which could
make data get sent over the network in a bad format.
Example:
$ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
Diffstat (limited to 'lib/formdata.c')
| -rw-r--r-- | lib/formdata.c | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/lib/formdata.c b/lib/formdata.c index 13901b330..ae75fe175 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -845,16 +845,23 @@ static CURLcode AddFormData(struct FormData **formp, goto error; } #endif + if(type != FORM_DATAMEM) { + newform->line = malloc((size_t)length+1); + if(!newform->line) { + result = CURLE_OUT_OF_MEMORY; + goto error; + } + alloc2 = newform->line; + memcpy(newform->line, line, (size_t)length); - newform->line = malloc((size_t)length+1); - if(!newform->line) { - result = CURLE_OUT_OF_MEMORY; - goto error; + /* zero terminate for easier debugging */ + newform->line[(size_t)length]=0; + } + else { + newform->line = (char *)line; + type = FORM_DATA; /* in all other aspects this is just FORM_DATA */ } - alloc2 = newform->line; - memcpy(newform->line, line, (size_t)length); newform->length = (size_t)length; - newform->line[(size_t)length]=0; /* zero terminate for easier debugging */ } else /* For callbacks and files we don't have any actual data so we just keep a @@ -907,13 +914,21 @@ static CURLcode AddFormDataf(struct FormData **formp, curl_off_t *size, const char *fmt, ...) { - char s[4096]; + char *s; + CURLcode result; va_list ap; va_start(ap, fmt); - vsnprintf(s, sizeof(s), fmt, ap); + s = curl_mvaprintf(fmt, ap); va_end(ap); - return AddFormData(formp, FORM_DATA, s, 0, size); + if(!s) + return CURLE_OUT_OF_MEMORY; + + result = AddFormData(formp, FORM_DATAMEM, s, 0, size); + if(result) + free(s); + + return result; } /* |