Closed
Conversation
... so that the CI and more detects compiler warnings/errors properly! Closes curl#2337
gss_seal/gss_unseal have been deprecated in favor of gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and "GSS_Unwrap() (formerly GSS_Unseal())". Use the nondeprecated functions to avoid deprecation warnings. [1] https://tools.ietf.org/html/rfc2078 [2] https://tools.ietf.org/html/rfc1964 Closes curl#2356
Check for existence of import and static libraries with documented names and use them if they do. Fallback to previous names. According to https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on Windows, the names of the import library is "zdll.lib" and static library is "zlib.lib". closes curl#2354
... as it is interesting for many users.
follow-up to e04417d
Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121 Reported-by: Dario Weisser Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
To sync it with changes made for the libssh2 project. Also cleanup some whitespace.
follow-up to 72a0f62
This reverts commit a577059. The assignment really needs to be there or we risk working with an uninitialized pointer.
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes curl#2453
This reverts commit dc85437. libcurl (with the OpenSSL backend) performs server certificate verification even if verifypeer == 0 and the verification result is available using CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the CURLINFO_SSL_VERIFYRESULT to not have useful information for the verifypeer == 0 use case (it would always have X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Closes curl#2451
curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC 8089 but then returns an error saying this is unimplemented. This is actually a regression in behavior on both Windows and Unix. Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and then passed to the relevant OS API. This means that the behavior of this case is actually OS dependent. The Unix path resolution rules say that the OS must handle swallowing the extra "/" and so this path is the same as "/foo/bar" The Windows path resolution rules say that this is a UNC path and automatically handles the SMB access for the program. So curl on Windows was already doing Appendix E.3.2 without any special code in curl. Regression Closes curl#2438
In the situation of a client connecting to an FTP server using an IPv6 tunnel proxy, the connection info will indicate that the connection is IPv6. However, because the server behing the proxy is IPv4, it is permissable to attempt PSV mode. In the case of the FTP server being IPv4 only, EPSV will always fail, and with the current logic curl will be unable to connect to the server, as the IPv6 fwdproxy causes curl to think that EPSV is impossible. Closes curl#2432
Due to the check in Makefile.vc and MakefileBuild.vc, no make call can be invoked unless a build-type was specified. However, a clean target only existed when a build type was specified. As a result, the clean target was unreachable. Made clean target unconditional. Closes curl#2455
.. and do the same for build-wolfssl.bat. Because MS calls it VC14.1. Closes curl#2189
... since they return size_t anyway! closes curl#2462
Only treat response code as FTP response codes in case the protocol type is FTP. This fixes an issue where an HTTP download was treated as FTP in case libcurl returned with 33. This happens when the download has already finished and the server responses 416: HTTP/1.1 416 Requested Range Not Satisfiable This should not be treated as an FTP error. Fixes curl#2464 Closes curl#2465
... and use this type instead of 'sa_family_t' in the code since several platforms don't have it. Closes curl#2463
- Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows. - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print curl_off_t. Caught by Marc's CI builds.
The setenv command no longer exists and visual studio build prompts got changed. Used Visual Studio 2015/2017 as reference. Closes curl#2472
This works now and precise is in the process of being decommissioned.
a937736 to
5c1e423
Compare
MarcelRaad
pushed a commit
that referenced
this pull request
Apr 19, 2023
Fixes msan warnings:
==54195==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55ece35e57cb in line_length /home/runner/work/curl/curl/tests/server/getpart.c:111:25
#1 0x55ece35e3b83 in readline /home/runner/work/curl/curl/tests/server/getpart.c:164:24
#2 0x55ece35e0269 in getpart /home/runner/work/curl/curl/tests/server/getpart.c:347:18
#3 0x55ece36180b6 in parse_servercmd /home/runner/work/curl/curl/tests/server/sws.c:283:13
Closes curl#10822
MarcelRaad
pushed a commit
that referenced
this pull request
Sep 5, 2023
`u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-terminator.
```
==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 at pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
READ of size 78 at 0x04d48c75 thread T0
#0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
#1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_party\curl\lib\strdup.c:97
#2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1297
#3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1342
#4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1790
#5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:1768
#6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3403
#7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3888
#8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:1982
#9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:2756
```
Closes curl#11560
MarcelRaad
pushed a commit
that referenced
this pull request
Feb 27, 2024
In order to make MSAN happy:
==2200945==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x596f3b3ed246 in curlx_strtoofft [...]/libcurl/src/lib/strtoofft.c:239:11
#1 0x596f3b402156 in Curl_httpchunk_read [...]/libcurl/src/lib/http_chunks.c:149:12
#2 0x596f3b348550 in readwrite_data [...]/libcurl/src/lib/transfer.c:607:11
[...]
==2202041==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5a3fab66a72a in Curl_parse_port [...]/libcurl/src/lib/urlapi.c:547:8
#1 0x5a3fab650645 in parse_authority [...]/libcurl/src/lib/urlapi.c:796:12
#2 0x5a3fab6740f6 in parseurl [...]/libcurl/src/lib/urlapi.c:1176:16
#3 0x5a3fab664fc5 in parseurl_and_replace [...]/libcurl/src/lib/urlapi.c:1342:12
[...]
==2202320==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x569076a0d6b0 in ipv4_normalize [...]/libcurl/src/lib/urlapi.c:683:12
#1 0x5690769f2820 in parse_authority [...]/libcurl/src/lib/urlapi.c:803:10
#2 0x569076a160f6 in parseurl [...]/libcurl/src/lib/urlapi.c:1176:16
#3 0x569076a06fc5 in parseurl_and_replace [...]/libcurl/src/lib/urlapi.c:1342:12
[...]
Signed-off-by: Louis Solofrizzo <lsolofrizzo@scaleway.com>
Closes curl#12995
MarcelRaad
pushed a commit
that referenced
this pull request
Jun 26, 2025
Before this patch the signal handler called `logmsg()` which in turn called `printf()` variants (internal implementations), and `FILE *` functions, `localtime()`. Some of these called `malloc`/`free`, which isn't supported in s signal handler. Replace them with `write` calls, losing some logging functionality. Also: - De-dupe and move `STD*_FILENO` macros to `lib/curl_setup.h`. Revert the `src` definition to point to `stderr`, instead of `tool_stderr`. Follow-up to e5bb88b curl#11958 POSIX specs with list of functions allowed in a signal handler: 2004: https://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html#tag_02_04_03 2017: https://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_04_03 2024: https://pubs.opengroup.org/onlinepubs/9799919799/functions/V2_chap02.html#tag_16_04_03 Linux CI run with the thread sanitizer going crazy when hitting the signal handler in test 1238 and 1242 (TFTP): ``` WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=12582) #0 malloc <null> (servers+0x5ed70) #1 _IO_file_doallocate <null> (libc.so.6+0x851b4) #2 formatf /home/runner/work/curl/curl/bld/tests/server/../../lib/../../lib/mprintf.c:886:9 (servers+0xdff77) [...] WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=12582) #0 free <null> (servers+0x5f453) #1 fclose <null> (libc.so.6+0x8532f) #2 logmsg /home/runner/work/curl/curl/bld/tests/server/../../../tests/server/util.c:134:5 (servers+0xe684d) ``` Ref: https://github.com/curl/curl/actions/runs/14118903372/job/39555309490?pr=16851 Closes curl#16852
MarcelRaad
pushed a commit
that referenced
this pull request
Aug 18, 2025
Replace autotools with cmake to avoid libtool wrappers that are changing `LD_LIBRARY_PATH` in a way incompatible with the thread sanitizer. To fix the output when the sanitizier is finding something: ``` ==51718==WARNING: Can't write to symbolizer at fd 7 /usr/bin/llvm-symbolizer-18: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-18) /usr/bin/llvm-symbolizer-18: symbol lookup error: /home/runner/openssl/lib/libcrypto.so.3: undefined symbol: __tsan_func_entry ``` Ref: https://github.com/curl/curl/actions/runs/16911402500/job/47913783729#step:39:4466 After: ``` 13:50:04.117885 == Info:ThreadSanitizer: thread T1 finished with ignores enabled, created at: closing connection #0 #0 pthread_create <null> (libtests+0x6bc0f) (BuildId: 4fe889446291259934205ac03931c397aa0210d3) #1 Curl_thread_create /home/runner/work/curl/curl/lib/curl_threads.c:73:6 (libcurl.so.4+0x55a76) (BuildId: cb0f14ba2ad68c9cab0c980d9a5d7a53cc0782da) #2 async_thrdd_init /home/runner/work/curl/curl/lib/asyn-thrdd.c:500:26 (libcurl.so.4+0x1c153) (BuildId: cb0f14ba2ad68c9cab0c980d9a5d7a53cc0782da) [...] ``` Ref: https://github.com/curl/curl/actions/runs/16939193922/job/48003405272?pr=18274#step:39:4018 Also: - disable memory tracker which turned out to be incompatible with the thread sanitizer and detaching threads. Ref: curl#18263 and #curl IRC. - the job is ~30 seconds faster after this patch. Reported-by: Stefan Eissing Bug: curl#18263 (comment) Follow-up to a2bcec0 curl#14751 Closes curl#18274
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.