diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2021-06-29 11:43:35 -0400 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2021-06-29 15:18:08 -0400 |
| commit | ca8893468f3ca1bcd04a61691878e09b5824180c (patch) | |
| tree | 52490c38d7f8c64d16e5b7e7a28c262047953724 | |
| parent | 26317223194e5df9ac6321fb78cbe1a5005dd8b6 (diff) | |
| download | curl-ca8893468f3ca1bcd04a61691878e09b5824180c.tar.gz | |
http: fix crash in rate-limited upload
- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.
Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
The bug was introduced in 24e469f which is in releases since 7.76.0.
perl -e "print '0' x 200000" > tmp
curl --limit-rate 128k -d @tmp httpbin.org/post
Reported-by: Richard Marion
Fixes https://github.com/curl/curl/issues/7308
Closes https://github.com/curl/curl/pull/7315
| -rw-r--r-- | lib/http.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/http.c b/lib/http.c index 6d5d8fb3b..ac0301bc4 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer, data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE; if(data->set.max_send_speed && + (data->set.max_send_speed < (curl_off_t)fullsize) && (data->set.max_send_speed < http->postsize)) /* speed limit */ fullsize = (size_t)data->set.max_send_speed; |