Buffer Overflow in curl's Rustls Backend

## Summary: [summary of the vulnerability] A buffer overflow vulnerability exists in the curl library's Rustls backend due to an integer overflow in the dynamic buffer management. This issue could potentially allow an attacker to overwrite memory, leading to application crashes or, in theory, arbitrary code execution. However, exploitation is highly impractical due to the enormous file sizes required, making the real-world risk low. ## Affected version [Which curl/libcurl version are you using to reproduce? On which platform? `curl -V` typically generates good output to include] All versions of curl using the Rustls backend with the vulnerable dynamic buffer management code in the Curl_dyn_addn function are affected. ## Steps To Reproduce: [add details for how we can reproduce the issue] Unsanitized input from a file flows into memcpy, where it is used to manipulate application memory. This may result in a buffer overflow vulnerability. Data flow 8 steps in 2 files ‎lib/vtls/rustls.c 3 steps 421:13 bufbuf Source 1 - 2 424:39 buf 3 ‎lib/dynbuf.c 5 steps 167:42 const void *mem 4 172:25 mem 5 70:29 const unsigned char *mem 6 119:28 memmemcpy 7 - 8 :28 mem 7 :5 memcpy https://github.com/curl/curl/tree/acdb48272a53fe97f63e5437fce27c7036a9c43e/lib/vtls/rustls.c#L421 https://github.com/curl/curl/tree/acdb48272a53fe97f63e5437fce27c7036a9c43e/lib/dynbuf.c#L119 Impact If exploited, this vulnerability could result in memory corruption, potentially causing application crashes or enabling arbitrary code execution. However, the conditions required for exploitation—such as processing files approaching 4GB on 32-bit systems or 18 exabytes on 64-bit systems—are highly impractical. Additionally, modern memory protections like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) further reduce the likelihood of successful exploitation. As a result, the overall risk is considered low. Technical Details The vulnerability originates in the Curl_dyn_addn function, located in lib/dynbuf.c, which is responsible for adding data to a dynamic buffer. The function performs a size check to ensure the buffer has sufficient capacity: c if (s->len + len > s->size) { /* Need to reallocate to fit the new data */ } However, if the sum of the current buffer length (s->len) and the new data length (len) exceeds the maximum value of size_t, an integer overflow occurs. This causes the condition s->len + len > s->size to incorrectly evaluate to false, even when the total size exceeds the allocated buffer capacity. As a result, the subsequent memcpy operation writes data beyond the buffer's bounds, leading to a buffer overflow. This issue can theoretically be triggered when processing extremely large files, such as Certificate Revocation Lists (CRLs). For example: On a 32-bit system, where size_t is typically 32 bits, the overflow occurs near 4GB (2³² bytes). On a 64-bit system, where size_t is 64 bits, the overflow requires approximately 18 exabytes (2⁶⁴ bytes), an impractical size for most real-world scenarios. Mitigation To protect against this vulnerability, consider the following recommendations: Users: Avoid processing untrusted files that approach or exceed the size limits of size_t (e.g., 4GB on 32-bit systems or 18 exabytes on 64-bit systems). Validate input file sizes before processing where possible. Developers: Update the Curl_dyn_addn function to include explicit overflow checks. For example, verify that s->len + len does not exceed SIZE_MAX before performing the addition, or use safe arithmetic libraries to prevent integer overflows. A patch could resemble: c if (len > SIZE_MAX - s->len || s->len + len > s->size) { /* Handle overflow or insufficient size */ } ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] ## Impact ## Summary: While the impracticality of exploitation reduces the urgency, addressing this issue in the codebase will enhance the overall robustness of the curl library. This report provides a comprehensive overview of the vulnerability, its potential impact, and actionable steps to mitigate it, suitable for both technical and non-technical audiences.