Description
## Summary:
[In addvariable() (used by setvariable()), the code allocates memory for p->name without space for a null-terminator and copies nlen bytes directly. Later, functions like varcontent() call strlen() on this name, assuming it is null-terminated. This can lead to out-of-bounds memory reads, causing crashes (DoS) or potential information leakage, depending on the runtime context. The issue affects curl’s variable management code and can be triggered via normal usage of --variable or internal API calls.]
[No AI assistance was used to find this issue or generate this report.]
#source file
https://github.com/curl/curl/blob/master/src/var.c
#issue code
( p = calloc(1, sizeof(struct tool_var) + nlen);
if(p) {
memcpy(p->name, name, nlen);)
## Steps To Reproduce:
1. [Clone the repo and enter it]
git clone https://github.com/curl/curl.git
cd curl
CFLAGS="-fsanitize=address,undefined -g -O1" ./configure
make -j$(nproc)
2. [Add a variable via setvariable() (e.g., "TESTVAR=value").]
3. [Lookup the variable using varcontent() or varexpand().]
4. [Observe crash or out-of-bounds read via ASAN/UBSAN logs]
#issue code picture location with image
#F4950584
## Impact
addvariable() fails to NUL‑terminate stored variable names, so subsequent calls to strlen() can read past the allocated buffer and cause an immediate program crash. This results in an availability impact (easy DoS if the code path is reachable), and the out‑of‑bounds read may also expose adjacent memory, creating a potential confidentiality issue. While this bug alone is unlikely to enable remote code execution, it increases overall exploitability when combined with other vulnerabilities. Triage severity should be considered Medium, escalating to High if an information leak can be demonstrated.
[In addvariable() (used by setvariable()), the code allocates memory for p->name without space for a null-terminator and copies nlen bytes directly. Later, functions like varcontent() call strlen() on this name, assuming it is null-terminated. This can lead to out-of-bounds memory reads, causing crashes (DoS) or potential information leakage, depending on the runtime context. The issue affects curl’s variable management code and can be triggered via normal usage of --variable or internal API calls.]
[No AI assistance was used to find this issue or generate this report.]
#source file
https://github.com/curl/curl/blob/master/src/var.c
#issue code
( p = calloc(1, sizeof(struct tool_var) + nlen);
if(p) {
memcpy(p->name, name, nlen);)
## Steps To Reproduce:
1. [Clone the repo and enter it]
git clone https://github.com/curl/curl.git
cd curl
CFLAGS="-fsanitize=address,undefined -g -O1" ./configure
make -j$(nproc)
2. [Add a variable via setvariable() (e.g., "TESTVAR=value").]
3. [Lookup the variable using varcontent() or varexpand().]
4. [Observe crash or out-of-bounds read via ASAN/UBSAN logs]
#issue code picture location with image
#F4950584
## Impact
addvariable() fails to NUL‑terminate stored variable names, so subsequent calls to strlen() can read past the allocated buffer and cause an immediate program crash. This results in an availability impact (easy DoS if the code path is reachable), and the out‑of‑bounds read may also expose adjacent memory, creating a potential confidentiality issue. While this bug alone is unlikely to enable remote code execution, it increases overall exploitability when combined with other vulnerabilities. Triage severity should be considered Medium, escalating to High if an information leak can be demonstrated.
Basic Information
ID
H1:3406123
Published
Oct 30, 2025 at 16:55
Modified
Oct 31, 2025 at 11:35