curl is at curl.se / Bugs / #612 Stack overwrite under 64-bit Windows

curl is at curl.haxx.se

#612 Stack overwrite under 64-bit Windows

Status: closed-accepted

Owner: Daniel Stenberg

Labels: libcurl (356)

Priority: 5

Updated: 2015-04-15

Created: 2006-11-13

Creator: Anonymous

Private: No

PROBLEM

If compiled for Windows x64 (and possibly other 64-bit
platforms), the function Curl_httpchunk_read() in
http_chunks.c causes a stack overwrite in its caller.

This applies to libcurl 7.16.0 (and probably earlier
versions).

CAUSE

This is caused by this line: http_chunks.c(111):

size_t *wrote = (size_t *)wrotep;

The wrotep argument is of type (ssize_t *). This cast
tacitly assumes that sizeof(size_t) == sizeof(ssize_t).

In config-win32.h 'ssize_t' defaults to 'int'. This
works on 32-bit Windows platforms, but on 64-bit
platforms 'size_t' is widened to 64 bits (unsigned
__int64) and writing through *wrote writes 64 bits,
whereas wrotep only addresses 32 bits (namely, the
'int' that 'ssize_t' defaults to). In other words,
sizeof(size_t) > sizeof(ssize_t) in that case.

RESOLUTION

In config_win32.h, change the lines:

/* Define to 'int' if ssize_t is not an available
'typedefed' type */
#if (defined(__WATCOMC__) && (__WATCOMC__ >= 1240)) ||
defined(__POCC__)
#else
#define ssize_t int
#endif

...to:

/* Define to 'long' or '__int64' if ssize_t is not an
available 'typedefed' type */
#if (defined(__WATCOMC__) && (__WATCOMC__ >= 1240)) ||
defined(__POCC__)
#elif defined(_WIN64)
#define ssize_t __int64
#else
#define ssize_t long
#endif

Best wishes,
Ron <support@tarma.com>

Discussion

Daniel Stenberg - 2006-11-13

status: open --> closed-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2006-11-13

Logged In: YES
user_id=1110

Thanks a lot! I've committed a fix just now (but I left it
'int' for 32bit versions).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tigzy - 2015-04-14

Hello,
same bug comes back in curl_config.h

/ the signed version of size_t /

define ssize_t long

should be

/ the signed version of size_t /

define ssize_t __int64

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tigzy - 2015-04-14

or better:

/ the signed version of size_t /

if defined(_WIN64)

define ssize_t __int64

else

define ssize_t long

endif

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2015-04-14

please use the issue tracker on github or post to the mailing list.

please clarify how this bug occurs for you, we have fixes in place for this so how come you get hurt like this?

which libcurl version are you using and how are you building it?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tigzy - 2015-04-15

Hello

it occurs using cmake, last lines here:
https://github.com/bagder/curl/blob/master/lib/curl_config.h.cmake

latest.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2015-04-15

Then please submit this issue in the current bug tracker: https://github.com/bagder/curl/issues

Commenting on a bug that was closed many years ago is very hard for people to detect.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tigzy - 2015-04-15

Ok.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Stack overwrite under 64-bit Windows

curl is at curl.haxx.se

Searches

Help

#612 Stack overwrite under 64-bit Windows

Discussion

define ssize_t long

define ssize_t __int64

if defined(_WIN64)

define ssize_t __int64

else

define ssize_t long

endif