Remote memory disclosure vulnerability in libcurl on 64 Bit Windows
The core problem is an integer truncation due to a difference in the size of the long
primitive type between Windows and Linux systems. On Linux and BSD systems, sizeof(long)
will return 8, but on Windows this value is 4.
In the AddHttpPost
function, a size_t bufferlength
value is assigned to the post->bufferlength
the bufferlength
field in post
however is a long
. An attacker who is able to influence the size of the file upload, can choose a length of 0x00000000FFFFFFFF (4294967295)
. When truncated to 4 bytes on Windows it will become -1
which is the constant CURL_ZERO_TERMINATED
. Meaning libcurl
will then try to determine the size of the buffer by reading, and uploading all content until there is a null byte, potentially reading outside of the expected buffer.