mythos scan of curl 2026-05-06 · GitHub
/" data-turbo-transient="true" />
Skip to content
-->
Search Gists
Search Gists
Sign in
Sign up
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
Instantly share code, notes, and snippets.
bagder/mythos.md
Created<br>May 13, 2026 06:35
Show Gist options
Download ZIP
Star
(3)
You must be signed in to star a gist
Fork
(0)
You must be signed in to fork a gist
Embed
Select an option
Embed<br>Embed this gist in your website.
Share<br>Copy sharable link for this gist.
Clone via HTTPS<br>Clone using the web URL.
No results found
Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/bagder/c9b83a19f30e82e41b11f6315465b17a.js"></script>
" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-66f44790-3744-41b2-8845-362a87f0e7e5" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />
Save bagder/c9b83a19f30e82e41b11f6315465b17a to your computer and use it in GitHub Desktop.
Embed
Select an option
Embed<br>Embed this gist in your website.
Share<br>Copy sharable link for this gist.
Clone via HTTPS<br>Clone using the web URL.
No results found
Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/bagder/c9b83a19f30e82e41b11f6315465b17a.js"></script>
" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-7d239342-92d5-47aa-b0dc-1da397939ef1" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />
Save bagder/c9b83a19f30e82e41b11f6315465b17a to your computer and use it in GitHub Desktop.
Download ZIP
mythos scan of curl 2026-05-06
Raw
mythos.md
curl security review log
Started: 2026-05-06
Commit: 455bebc2c7 (master)
Scope: 178k LoC C, lib/ + src/
Code links: https://github.com/curl/curl/tree/455bebc2c76223a1be26042f6d2393715c0df0cd (all line refs below pin to this commit)
Approach
curl is one of the most fuzzed and audited C codebases in existence (OSS-Fuzz, Coverity, CodeQL, multiple paid audits). Finding anything in the hot paths (HTTP/1, TLS, URL parsing core) is unlikely. Focus instead on:
Code changed in the last 90 days (fewer eyes, not yet fuzzed long)
Obscure protocols nobody uses or audits: DICT, GOPHER, TELNET, MQTT, RTSP, TFTP, LDAP, SMB, IMAP/POP3
Error/cleanup paths (fuzzers hit happy paths more)
Integer arithmetic on attacker-controlled lengths
The tool (src/) rather than the library - less scrutiny than libcurl
Build system / test infra (supply chain angle)
Platform-specific code (#ifdef WIN32, VMS, AmigaOS etc) - rarely compiled by reviewers
Interaction bugs between features (e.g. HSTS + altsvc + connection reuse)
Method per area
Read the code directly, don't rely on grep patterns alone
For each suspicious site: trace data origin back to network/user input
Check bounds, signedness, overflow, lifetime
Note even low-severity findings - they indicate code quality in that area
Record NEGATIVE results too (looked at X, found nothing) so restart doesn't repeat work
Verification standard (no false positives)
Before anything goes in Findings it must pass ALL of:
Data origin traced: the dangerous value provably comes from network/file/user input, not a constant or already-validated source
No upstream guard: checked the full call chain for earlier length/range/NULL checks that would prevent the bad case
No type-level mitigation: e.g. value is unsigned char so "negative" is impossible, or buffer is sized by the same variable
Reachable: the code path is actually compiled in a normal build (not dead #ifdef VMS etc) and reachable at runtime
Consequence stated concretely: "writes N bytes past buffer X of size Y" not "might overflow"
Anything that fails a check goes in "Investigated - not a bug" with the reason. Uncertain items go in "Needs PoC" not Findings.
Plan / progress checklist
P1: Survey recent commits (90 days) for risky changes (peer.c reviewed in depth)
P2: lib/dict.c - DICT protocol (clean)
P3: lib/gopher.c - GOPHER (clean)
P4: lib/telnet.c - TELNET (clean)
P5: lib/mqtt.c - MQTT (clean, 1 out-of-scope note)
P6: lib/rtsp.c - RTSP (clean, 1 correctness-only bug noted)
P7: lib/tftp.c - TFTP (clean)
P8: lib/smb.c - SMB (clean)
P9: lib/ldap.c + openldap.c (2 minor leaks, not security)
P10: src/tool_*.c - CLI argument/config handling (2 real bugs, outside threat model)
P11: Integer overflow sweep (clean - dynbuf/memdup0/str_number/bufq all...