Commit a96784b9 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

- David Bau filed bug report #2026240 "CURL_READFUNC_PAUSE leads to buffer 

  overrun" (http://curl.haxx.se/bug/view.cgi?id=2026240) identifying two
  problems, and providing the fix for them:

  - CURL_READFUNC_PAUSE did in fact not pause the _sending_ of data that it is
    designed for but paused _receiving_ of data!

  - libcurl didn't internally set the read counter to zero when this return
    code was detected, which would potentially lead to junk getting sent to
    the server.
parent e0694443

CHANGES

+12 −0
Original line number Diff line number Diff line
@@ -6,6 +6,18 @@ 


                                  Changelog



Daniel Stenberg (26 Jul 2008)

- David Bau filed bug report #2026240 "CURL_READFUNC_PAUSE leads to buffer

  overrun" (http://curl.haxx.se/bug/view.cgi?id=2026240) identifying two

  problems, and providing the fix for them:



  - CURL_READFUNC_PAUSE did in fact not pause the _sending_ of data that it is

    designed for but paused _receiving_ of data!



  - libcurl didn't internally set the read counter to zero when this return

    code was detected, which would potentially lead to junk getting sent to

    the server.



Daniel Fandrich (26 Jul 2008)

- Added test 1044 to test large file support in ftp with -I.

RELEASE-NOTES

+2 −1
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ This release includes the following bugfixes: 
 o c-ares powered libcurls can resolve/use IPv6 addresses

 o poll not working on Windows Vista due to POLLPRI being incorrectly used

 o user-agent in CONNECT with non-HTTP protocols

 o CURL_READFUNC_PAUSE problems fixed



This release includes the following known bugs:
@@ -54,7 +55,7 @@ advice from friends like these: 
 Rob Crittenden, Dengminwen, Christopher Palow, Hans-Jurgen May,

 Phil Pellouchoud, Eduard Bloch, John Lightsey, Stephen Collyer, Tor Arntsen,

 Rolland Dudemaine, Phil Blundell, Scott Barrett, Andreas Schuldei,

 Peter Lamberg

 Peter Lamberg, David Bau





        Thanks! (and sorry if I forgot to mention someone)

lib/transfer.c

+8 −3
Original line number Diff line number Diff line
@@ -132,16 +132,21 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, int bytes, int *nreadp) 


  if(nread == CURL_READFUNC_ABORT) {

    failf(data, "operation aborted by callback");

    *nreadp = 0;

    return CURLE_ABORTED_BY_CALLBACK;

  }

  else if(nread == CURL_READFUNC_PAUSE) {

    struct SingleRequest *k = &data->req;

    k->keepon |= KEEP_READ_PAUSE; /* mark reading as paused */

    /* CURL_READFUNC_PAUSE pauses read callbacks that feed socket writes */

    k->keepon |= KEEP_WRITE_PAUSE; /* mark socket send as paused */

    *nreadp = 0;

    return CURLE_OK; /* nothing was read */

  }

  else if((size_t)nread > buffersize)

  else if((size_t)nread > buffersize) {

    /* the read function returned a too large value */

    *nreadp = 0;

    return CURLE_READ_ERROR;

  }



  if(!data->req.forbidchunk && data->req.upload_chunky) {

    /* if chunked Transfer-Encoding */
@@ -1464,7 +1469,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, 
        else

          nread = 0; /* we're done uploading/reading */



        if(!nread && (k->keepon & KEEP_READ_PAUSE)) {

        if(!nread && (k->keepon & KEEP_WRITE_PAUSE)) {

          /* this is a paused transfer */

          break;

        }