Re: crash in libcurl - Symbian

[Frank McGeough]

After tracing through the code a bit the problem occurs in transfer.c  
in :

static CURLcode readwrite_upload(struct SessionHandle *data,
                                 struct connectdata *conn,
                                 struct SingleRequest *k,
                                 int *didwhat)
The local variable bytes_written is set to a value greater than data- 
>req.upload_present. The statements where I see the problem are :

    if(data->req.upload_present != bytes_written) {
      /* we only wrote a part of the buffer (if anything), deal with  
it! */

      /* store the amount of bytes left in the buffer to write */
      data->req.upload_present -= bytes_written;

The if statement evaluates to true but the code's assumption is that  
bytes_written will never be greater than data->req_upload_present.  
Still tracing to see why this is not true in my case.

On May 17, 2009, at 6:44 PM, Frank McGeough wrote:

After getting libcurl to compile for Symbian - Nokia 5th edition SDK  
1,0 - I began implementing a protocol that sits on top of HTTP/ 
HTTPS. Although simple GETs and POSTs work fine. A GET with my own  
headers supplied crashes with a memory overrun down in curlib.  
Perhaps I'm doing something wrong but I've narrowed the code down as  
much as I can and its just not doing that much. Here it is :

void testGetWithHeaders(char* url)
{
    CURL *curl;
    CURLcode curl_result;

    curl = curl_easy_init();

    if (curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, url);
        struct curl_slist *headers=NULL;
        headers = curl_slist_append(headers, "x-mm-clientid: nmm:xyz3.1$o...@nok.b71.cyld 
");
        headers = curl_slist_append(headers, "x-mm-commandid: 2");
        headers = curl_slist_append(headers, "x-mm-cookie:  
NIC=NIC-7668-27");
        headers = curl_slist_append(headers, "x-mm-cookie:  
PIC=PIC-7668-28");
        curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);

        curl_result = curl_easy_perform(curl);
        curl_easy_cleanup(curl);
        if (curl_result == CURLE_OK)
        {
            std::cout << "OK!" << std::endl;
        }
        else
        {
            // something went wrong - error code is in curl_result
            std::cout << "libcurl error code #" << curl_result <<  
std::endl;
        }
    }
}

The crash occurs in curl_easy_perform. It looks like after the GET  
returns with the data (the server sends back HTTP/1.1 200 OK), the  
curlib attempts to write a giant amount of data back. This is  
because data->req.upload_present is set to -103. That value gets  
passed in as size_t len in :

CURLcode Curl_write(struct connectdata *conn, curl_socket_t sockfd,  
const void *mem, size_t len, ssize_t *written)

and becomes 4294967188.

If anyone has suggestions to track this down further or some idea of  
something stupid that I'm doing they'd be appreciated. thanks.