curl: Heap buffer overflow in Curl_ipv4_resolve

Description

Summary:

A heap-based buffer overflow exists in the AmigaOS-specific DNS resolution
function Curl_ipv4_resolve_r located in lib/amigaos.c.

The function uses gethostbyname_r() with a fixed-size heap buffer
(CURL_HOSTENT_SIZE) and performs incorrect pointer arithmetic when calculating
the data buffer offset and size. This fails to account for structure alignment
and padding requirements, which can result in the resolver writing past the
allocated heap buffer.

The issue is specific to AmigaOS builds using the bsdsocket.library backend.

## Impact

Impact Summary:

An attacker who can influence DNS responses or cause resolution of attacker-
controlled hostnames may trigger heap memory corruption in curl or libcurl
processes on AmigaOS.

Potential impacts include:
- Process crash (denial of service)
- Heap memory corruption
- Possible code execution depending on heap layout and mitigations

The impact is limited to AmigaOS platforms.

Visit Original Source

Basic Information

ID H1:3468410

Published Dec 17, 2025 at 05:44

Modified Dec 17, 2025 at 13:20

{
    "lastseen": "2025-12-17T13:49:28",
    "description": "Summary:\n\nA heap-based buffer overflow exists in the AmigaOS-specific DNS resolution\nfunction Curl_ipv4_resolve_r located in lib/amigaos.c.\n\nThe function uses gethostbyname_r() with a fixed-size heap buffer\n(CURL_HOSTENT_SIZE) and performs incorrect pointer arithmetic when calculating\nthe data buffer offset and size. This fails to account for structure alignment\nand padding requirements, which can result in the resolver writing past the\nallocated heap buffer.\n\nThe issue is specific to AmigaOS builds using the bsdsocket.library backend.\n\n## Impact\n\nImpact Summary:\n\nAn attacker who can influence DNS responses or cause resolution of attacker-\ncontrolled hostnames may trigger heap memory corruption in curl or libcurl\nprocesses on AmigaOS.\n\nPotential impacts include:\n- Process crash (denial of service)\n- Heap memory corruption\n- Possible code execution depending on heap layout and mitigations\n\nThe impact is limited to AmigaOS platforms.",
    "published": "2025-12-17T05:44:02",
    "modified": "2025-12-17T13:20:49",
    "type": "hackerone",
    "title": "curl: Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS",
    "source": "",
    "references": "",
    "id": "H1:3468410",
    "bulletinFamily": "bugbounty",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://hackerone.com/reports/3468410",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

curl: Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS_H1:3468410

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply