curl_formget() accepts a user-provided callback function but does not
validate it is non-NULL before calling it. If a caller passes NULL,
the function will crash with SIGSEGV.
Add NULL check at the start of the function to return an appropriate
error code instead of crashing.
Signed-off-by: Robert W. Van Kirk <robert@rwvk.tech>
Closes#19858
On platforms where neither accept4 nor fcntl was available, an
EPRT connection did not send the accepted socket as non-blocking.
This became apparent when TLS was in use and the test receive
on shutdown did simply hang.
Reported-by: Denis Goleshchikhin
Fixes#19753Closes#19851
- drop redundant parentheses from macro definitions.
- apply clang-format in some places missed earlier.
- wolfssl: fix a macro guard comment.
- curl_setup.h: drop empty lines
- FAQ: fix C formatting.
Closes#19854
Clone a multibye conversion function into curlx/fopen, and use that
local copy from curlx/fopen functions. Adjust allocators in curlx/fopen
to use curl's in normal builds, and system allocators in TrackMemory
builds to avoid recursion.
This allows to switch curlx/multibyte functions to curl allocators in
all configurations, as they are no longer called by curlx/fopen, and
a recursive call can no longer happen.
After this patch the system allocator is only used in TrackMemory
Windows builds, within curlx `fopen`, `freopen`, `stat` and `open`
functions.
Also:
- test 1, 440, 767: raise allocation limitsto fit the extra allocations
in Windows Unicode builds.
- replace all uses of `curlx_unicodefree()` macro with `curlx_free()`
across the codebase.
- curlx/multibyte: delete `curlx_unicodefree()`.
- ldap: join Windows and non-Windows codepaths that became
identical after moving from `curlx_unicodefree()` to `curlx_free()`.
- vauth: drop a strdup from standard to curl allocator since
the original allocation is now already done by curl's.
- tool_doswin: drop now superfluous strdup from `FindWin32CACert()`.
- memanalyzer.pm: sync weirdo `calloc` log message with `malloc`'s.
Fixes#19748Closes#19845
Legacy LDAP means an OpenLDAP-compatible implementation
without the private API `ldap_init_fd()` introduced in OpenLDAP
2.4.6+ (2007-10-31), and not WinLDAP.
One known example is Apple's LDAP build, which is based on
OpenLDAP 2.4.28 (2011-11-25), without providing this private API.
The version query API was introduced around 1998-1999, before
the minimum (2.0 2000-08-01) required by curl.
Follow-up to 3e2a946926#19808Closes#19832
Since we no longer traverse the transfers attached to a connection,
change the sparse bitset to just a `uint32_t` counter.
This makes multi_ev the single user of sparse bitsets for transfers
using a socket and allocation failures are handled there correctly.
Refs #19818Closes#19836
To make it clearer to readers of the code that the resulting dup also
has a null terminator. Something a "normal" memdup() does not provide.
Closes#19833
Function Curl_bufref_ptr() now returns a const char *.
New function Curl_bufref_uptr() returns a const unsigned char *.
Usage and doc updated.
Closes#19827
OpenSSL 4 has plans to make ASN1_STRING opaque, which will break the
build, so convert the code to use accessors. ASN1_STRING_length() and
ASN1_STRING_type() go way back to SSLeay and ASN1_STRING_get0_data() is
OpenSSL 1.1 API present in BoringSSL since foreer and also available
since LibreSSL 2.7, so this should not cause compat issues with any
libcrypto in a supported version of the fork family.
https://github.com/openssl/openssl/issues/29117Closes#19831
Eliminate a heap buffer in both `win32_idn_to_ascii()` and
`win32_ascii_to_idn()`, by replacing it with stack buffer. The maximum
size is fixed in these cases, and small enough to fit there.
Also reuse length returned by the UTF-8 to wchar conversion, allowing
to drop `wcslen()` call in both functions, and allowing to call
the wchar to UTF-8 conversion API `WideCharToMultiByte()` with the known
length, saving length calculations within that API too.
Ref: https://github.com/curl/curl/pull/19748#issuecomment-3592015200Closes#19798
A fix for the tests that took the longest:
- test_05: make the server close the HTTP/1.1 connection when
simulating an error during a download. This eliminates waiting
for a keepalive timeout
- test_02: pause tests with slightly smaller documents, eliminate
special setup for HTTP/2. We test stream window handling now
elsewhere already
- cli_hx_download: run look in 500ms steps instead of 1sec, resuming
paused tranfers earlier.
Closes#19809
Instead of buffering response body data until it is received by the
transfer loop, write the response data directly to the client.
Use a connection wide scratch buffer to get the response body from
quiche. Eliminates need for maintaining individual buffers for each
stream.
Fixes#19803
Reported-by: Stanislav Fort
Closes#19806
add the debug log before freeing the memory, otherwise another thread
might allocate and log it before the free is logged.
Follow-up to a7bebd8502Closes#19787
Protect modification to the `membuf` by different threads
via a mutex. This ensure that index updates are correct and
that data gets written in order.
Closes#19785
Use the already detected `gssapi/gssapi_krb5.h` MIT Kerberos header
to pull in `gssapi_ext.h`, which in turn sets `GSS_C_CHANNEL_BOUND_FLAG`
if supported. Channel binding is present in MIT Kerberos 1.19+.
Also:
- lib: de-duplicate GSS-API header includes.
- vauth: de-duplicate `urldata.h` includes.
- drop interim feature macro in favor of the native GSS one.
Assisted-by: Max Faxälv
Reported-by: Max Faxälv
Bug: https://github.com/curl/curl/pull/19164#issuecomment-3551687025
Follow-up to 8616e5aada#19164Closes#19603Closes#19760
Follow-up to c1e3a760b. The previous update missed an addition that also
can wrap and cause confusion. Fixing this by calling
Curl_pgrsSetDownloadSize() after the overflow check.
Reported-by: Deniz Parlak
Closes#19774
