From a96784b98ebc60720514a788b87f66cd46abee62 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 26 Jul 2008 21:15:47 +0000 Subject: - David Bau filed bug report #2026240 "CURL_READFUNC_PAUSE leads to buffer overrun" (http://curl.haxx.se/bug/view.cgi?id=2026240) identifying two problems, and providing the fix for them: - CURL_READFUNC_PAUSE did in fact not pause the _sending_ of data that it is designed for but paused _receiving_ of data! - libcurl didn't internally set the read counter to zero when this return code was detected, which would potentially lead to junk getting sent to the server. --- lib/transfer.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/transfer.c b/lib/transfer.c index 91e3f5908..4201ad18a 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -132,16 +132,21 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, int bytes, int *nreadp) if(nread == CURL_READFUNC_ABORT) { failf(data, "operation aborted by callback"); + *nreadp = 0; return CURLE_ABORTED_BY_CALLBACK; } else if(nread == CURL_READFUNC_PAUSE) { struct SingleRequest *k = &data->req; - k->keepon |= KEEP_READ_PAUSE; /* mark reading as paused */ + /* CURL_READFUNC_PAUSE pauses read callbacks that feed socket writes */ + k->keepon |= KEEP_WRITE_PAUSE; /* mark socket send as paused */ + *nreadp = 0; return CURLE_OK; /* nothing was read */ } - else if((size_t)nread > buffersize) + else if((size_t)nread > buffersize) { /* the read function returned a too large value */ + *nreadp = 0; return CURLE_READ_ERROR; + } if(!data->req.forbidchunk && data->req.upload_chunky) { /* if chunked Transfer-Encoding */ @@ -1464,7 +1469,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, else nread = 0; /* we're done uploading/reading */ - if(!nread && (k->keepon & KEEP_READ_PAUSE)) { + if(!nread && (k->keepon & KEEP_WRITE_PAUSE)) { /* this is a paused transfer */ break; } -- cgit v1.2.3