Bug#310948: marked as done (curl fails when HTTP response headers contain null bytes)

[Debian Bug Tracking System]

Your message dated Mon, 22 Aug 2005 07:17:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#310948: fixed in curl 7.13.2-2sarge1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 May 2005 06:19:06 +0000
>From [EMAIL PROTECTED] Thu May 26 23:19:06 2005
Return-path: <[EMAIL PROTECTED]>
Received: from ux9.sp.cs.cmu.edu [128.2.220.166] 
        by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
        id 1DbYBW-00010I-00; Thu, 26 May 2005 23:19:06 -0700
Received: from c-24-3-154-200.hsd1.pa.comcast.net ([24.3.154.200])
          by ux9.sp.cs.cmu.edu id aa02412; 26 May 2005 21:10 EDT
Received: from ecc by stratocaster.home with local (Exim 4.50)
        id 1DbTMy-0000pt-O1
        for [EMAIL PROTECTED]; Thu, 26 May 2005 21:10:36 -0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Eric Cooper <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: curl fails when HTTP response headers contain null bytes
X-Mailer: reportbug 3.8
Date: Thu, 26 May 2005 21:10:36 -0400
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.6 required=4.0 tests=BAYES_00,DATE_IN_PAST_03_06,
        HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: curl
Version: 7.13.2-2
Severity: important

Some broken HTTP servers return response headers containing null bytes.
For example:
    http://ftp.pl.debian.org/debian/dists/sarge/main/binary-i386/Packages.gz
(at least until the webmaster fixes it).

When curl is parsing header lines, it reads a buffer and then looks
for the end-of-line by doing
            k->end_ptr = strchr (k->str_start, '\n');
in lib/transfer.c

But this is incorrect if the buffer contains embedded nulls -- the
strchr search will terminate too soon.  Then more data gets appended
to the header, the true CRLF termination is missed, and curl returns
insanely long headers which are actually part of the response data.

Here is a simple test program to reproduce the problem:

---- cut here ----
#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>

void
get_headers(char *url)
{
    CURL *handle;
    const int TRUE = 1;

    handle = curl_easy_init();

    // write headers to stdout
    curl_easy_setopt(handle, CURLOPT_HEADERFUNCTION, fwrite);
    curl_easy_setopt(handle, CURLOPT_WRITEHEADER, stdout);

    // exit when the data arrives
    curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, exit);

#if DEBUG
    curl_easy_setopt(handle, CURLOPT_VERBOSE, TRUE);
#endif

    curl_easy_setopt(handle, CURLOPT_URL, url);
    curl_easy_setopt(handle, CURLOPT_HTTPGET, TRUE);
    curl_easy_perform(handle);
}

int
main(int argc, char *argv[])
{
    if (argc != 2) {
        fprintf(stderr, "Usage: %s URL\n", argv[0]);
        exit(1);
    }
    get_headers(argv[1]);
    return 0;
}
---- cut here ----

Run
    ./ctest 
http://ftp.pl.debian.org/debian/dists/sarge/main/binary-i386/Packages.gz > foo"
and examine foo with hexdump or emacs to see the problem.

Here is a patch that seems to fix it, but I've only tested it with the
site above.

---- patch ----
diff -ur curl-7.13.2/lib/transfer.c curl-7.13.2-ecc/lib/transfer.c
--- curl-7.13.2/lib/transfer.c  2005-02-16 09:31:33.000000000 -0500
+++ curl-7.13.2-ecc/lib/transfer.c      2005-05-26 20:48:40.000000000 -0400
@@ -351,11 +351,20 @@
             size_t rest_length;
             size_t full_length;
             int writetype;
+            int i;
 
             /* str_start is start of line within buf */
             k->str_start = k->str;
 
-            k->end_ptr = strchr (k->str_start, '\n');
+            /* we can't use strchr or index to find the end of line because
+               broken HTTP servers might put null bytes in the headers */
+            k->end_ptr = 0;
+            for (i = 0; i < nread; i++) {
+              if (k->str_start[i] == '\n') {
+                k->end_ptr = k->str_start + i;
+                break;
+              }
+            }
 
             if (!k->end_ptr) {
               /* Not a complete header line within buffer, append the data to
---- end patch ----

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages curl depends on:
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libcurl3                    7.13.2-2     Multi-protocol file transfer libra
ii  libidn11                    0.5.13-1.0   GNU libidn library, implementation
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

---------------------------------------
Received: (at 310948-close) by bugs.debian.org; 22 Aug 2005 14:24:18 +0000
>From [EMAIL PROTECTED] Mon Aug 22 07:24:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1E7D6q-0005pD-00; Mon, 22 Aug 2005 07:17:08 -0700
From: Domenico Andreoli <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#310948: fixed in curl 7.13.2-2sarge1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 22 Aug 2005 07:17:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: curl
Source-Version: 7.13.2-2sarge1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.13.2-2sarge1.diff.gz
  to pool/main/c/curl/curl_7.13.2-2sarge1.diff.gz
curl_7.13.2-2sarge1.dsc
  to pool/main/c/curl/curl_7.13.2-2sarge1.dsc
curl_7.13.2-2sarge1_i386.deb
  to pool/main/c/curl/curl_7.13.2-2sarge1_i386.deb
libcurl3-dbg_7.13.2-2sarge1_i386.deb
  to pool/main/c/curl/libcurl3-dbg_7.13.2-2sarge1_i386.deb
libcurl3-dev_7.13.2-2sarge1_i386.deb
  to pool/main/c/curl/libcurl3-dev_7.13.2-2sarge1_i386.deb
libcurl3-gssapi_7.13.2-2sarge1_i386.deb
  to pool/main/c/curl/libcurl3-gssapi_7.13.2-2sarge1_i386.deb
libcurl3_7.13.2-2sarge1_i386.deb
  to pool/main/c/curl/libcurl3_7.13.2-2sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Domenico Andreoli <[EMAIL PROTECTED]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 22 Aug 2005 13:19:28 +0200
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gssapi curl
Architecture: source i386
Version: 7.13.2-2sarge1
Distribution: stable
Urgency: medium
Maintainer: Domenico Andreoli <[EMAIL PROTECTED]>
Changed-By: Domenico Andreoli <[EMAIL PROTECTED]>
Description: 
 curl       - Get a file from an HTTP, HTTPS, FTP or GOPHER server
 libcurl3   - Multi-protocol file transfer library, now with SSL support!
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-dev - Development files and documentation for libcurl
 libcurl3-gssapi - libcurl compiled with GSSAPI support
Closes: 310948
Changes: 
 curl (7.13.2-2sarge1) stable; urgency=medium
 .
   * Fixed data corruption when HTTP response headers contain null bytes
     (closes: #310948).
Files: 
 4c877414fd7c1461cf96d1cfbb5cd07d 810 web optional curl_7.13.2-2sarge1.dsc
 ce38f4c25d3cebfdfde18dceb1caa3ed 171550 web optional 
curl_7.13.2-2sarge1.diff.gz
 6ec6f3c003b7677bc4a83164d5fdbce6 147390 web optional 
curl_7.13.2-2sarge1_i386.deb
 5605dec37c43812288c2a393bec71c64 237670 libs optional 
libcurl3_7.13.2-2sarge1_i386.deb
 5390309553879607a881ac683a971cac 118296 libs extra 
libcurl3-gssapi_7.13.2-2sarge1_i386.deb
 385e48fd3996f413599643a8b3be8cb6 1003200 libdevel extra 
libcurl3-dbg_7.13.2-2sarge1_i386.deb
 9fffacb8426ef169d9ff0f3015f79598 1231884 libdevel optional 
libcurl3-dev_7.13.2-2sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCdSWBneQM6IOvFARAmv9AKDSeOe1FYahLGJCu1jIs1E0Mqw9rgCg3W/P
7XmKaRFuKumPkEb4N6k1jh8=
=kUBx
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]