Remote memory disclosure vulnerability in libcurl on 64 Bit Windows

We discussed this vulnerability as part of our weekly podcast on 02 March 2022

The core problem is an integer truncation due to a difference in the size of the long primitive type between Windows and Linux systems. On Linux and BSD systems, sizeof(long) will return 8, but on Windows this value is 4.

In the AddHttpPost function, a size_t bufferlength value is assigned to the post->bufferlength the bufferlength field in post however is a long. An attacker who is able to influence the size of the file upload, can choose a length of 0x00000000FFFFFFFF (4294967295). When truncated to 4 bytes on Windows it will become -1 which is the constant CURL_ZERO_TERMINATED. Meaning libcurl will then try to determine the size of the buffer by reading, and uploading all content until there is a null byte, potentially reading outside of the expected buffer.