Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-129493

curl segfaults when sending data file larger than speed limit [rhel-9.7.z]

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Yes
    • Important
    • Patch, EasyFix
    • Customer Facing, Customer Reported
    • rhel-plumbers
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      There is a out-of-bound write in curl when sending a data file that is larger than the specified speed limit and speed limit is higher than 64K:

      # ll testdata 
-rw-r--r--. 1 root root 1048576 Nov 19 09:26 testdata

# curl 'http://localhost/test.txt' --data-binary "@/root/testdata" --limit-rate 200k
Segmentation fault (core dumped)

      This is due to a bug introduced in 7.76 branch but which was only fixed in 7.78 branch:

      commit ca8893468f3ca1bcd04a61691878e09b5824180c
Author: Jay Satiro <raysatiro@yahoo.com>
Date:   Tue Jun 29 11:43:35 2021 -0400

    http: fix crash in rate-limited upload
    
    - Don't set the size of the piece of data to send to the rate limit if
      that limit is larger than the buffer size that will hold the piece.
    
    Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
    (curl tool: --limit-rate) was set then it was possible that a temporary
    buffer used for uploading could be written to out of bounds. A likely
    scenario for this would be a non-trivial amount of post data combined
    with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
    
    The bug was introduced in 24e469f which is in releases since 7.76.0.
    
    perl -e "print '0' x 200000" > tmp
    curl --limit-rate 128k -d @tmp httpbin.org/post
    
    Reported-by: Richard Marion
    
    Fixes https://github.com/curl/curl/issues/7308
    Closes https://github.com/curl/curl/pull/7315

      Please backport this commit ASAP.

      What is the impact of this issue to you?

      Can't transfer large files while setting a speed limit

      Please provide the package NVR for which the bug is seen:

      curl-7.76.1-34.el9

      How reproducible is this bug?

      Always

      Steps to reproduce (courtesy of impacted customer)

      1. Configure a dummy HTTP server 
        # yum -y install httpd
# echo abcde > /var/www/html/test.txt
# systemctl start httpd
      2. Generate a 1MB file 
        # dd if=/dev/zero of=testdata bs=1024 count=1024
      3. Use curl to upload the file while setting a speed limit (64k < limit < size of file) 
        # curl 'http://localhost/test.txt' --data-binary "@/root/testdata" --limit-rate 200k

      Expected results

      No crash

      Actual results

      Segfault

              jmigacz@redhat.com Jacek Migacz
              rhn-support-rmetrich Renaud Métrich
              Jacek Migacz Jacek Migacz
              Daniel Rusek Daniel Rusek
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: