Dear Maintainer,

During recent autopkgtest runs triggered by the vsftpd migration (as shown in the migration excuses page: https://qa.debian.org/excuses.php?package=vsftpd), we observed consistent failures on 32-bit architectures (specifically i386) in the following test case:

  test_05_errors.py::TestErrors::test_05_04_unclean_tls_shutdown[http/1.0]

The test fails with exit code 8 (CURLE_WEIRD_SERVER_REPLY) instead of the expected exit code 56 (CURLE_RECV_ERROR). The curl verbose log shows:

  * Invalid Content-Length: value
  * closing connection #0

Upon further investigation in a local unstable-i386 chroot, we found that the Apache test server (mod_curltest) is actually sending an invalid "Content-Length: -1" header.

The root cause lies in a signed/unsigned type promotion bug in the Apache test module:
tests/http/testenv/mod_curltest/mod_curltest.c

Line 409 of mod_curltest.c contains the following ternary assignment:

  r->clength = with_cl ? (chunks * chunk_size) : -1;

Where the variables are declared as:
  int chunks;
  size_t chunk_size;
  apr_off_t clength;  /* signed 64-bit integer */

On a 32-bit architecture (i386):
1. `chunks * chunk_size` evaluates to `unsigned int` (32-bit unsigned).
2. Due to Usual Arithmetic Conversions in C, the signed `-1` (int) operand of the ternary operator is promoted to `unsigned int`, yielding `4294967295` (0xFFFFFFFF).
3. The ternary operator returns `4294967295` as an `unsigned int`.
4. This unsigned value is then assigned to `r->clength` (apr_off_t, 64-bit signed). Since the source is unsigned, it is zero-extended, resulting in `r->clength` becoming `+4294967295`.
5. The subsequently executed check `if(r->clength >= 0)` evaluates to true.
6. Inside the block, `apr_ltoa(r->pool, (long)r->clength)` casts it to a 32-bit signed `long` (on 32-bit platforms), which truncates it back to `-1`, formatting it as "-1" and sending the "Content-Length: -1" header.

On a 64-bit architecture (amd64), `size_t` is 64-bit, and `-1` (32-bit int) is promoted to `unsigned long` (64-bit), yielding `18446744073709551615`. When assigned to `r->clength` (64-bit signed), it wraps back to `-1`, which correctly skips the Content-Length generation.

This type promotion mismatch can be safely fixed by avoiding the signed/unsigned mixture in the ternary operator.

Please find the attached patch which resolves this issue by explicitly assigning the values using a standard if-else block.

Thanks,
Keng-Yu Lin
---

diff --git a/tests/http/testenv/mod_curltest/mod_curltest.c b/tests/http/testenv/mod_curltest/mod_curltest.c
index 585c57b..308bf3b 100644
--- a/tests/http/testenv/mod_curltest/mod_curltest.c
+++ b/tests/http/testenv/mod_curltest/mod_curltest.c
@@ -406,8 +406,12 @@ static int curltest_tweak_handler(request_rec *r)
   ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "error_handler: processing "
                 "request, %s", r->args? r->args : "(no args)");
   r->status = http_status;
-  r->clength = with_cl ? (chunks * chunk_size) : -1;
+  if(with_cl) {
+    r->clength = (apr_off_t)chunks * chunk_size;
+  }
+  else {
+    r->clength = -1;
+  }
   r->chunked = (r->proto_num >= HTTP_VERSION(1, 1)) && !with_cl;
   apr_table_setn(r->headers_out, "request-id", request_id);

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Carlos Henrique Lima Melara <charlesmelara@riseup.net> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 28 Jun 2026 17:49:59 -0300
Source: curl
Architecture: source
Version: 8.21.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Curl Maintainers <team+curl@tracker.debian.org>
Changed-By: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
Closes: 1140793
Changes:
 curl (8.21.0-2) unstable; urgency=medium
 .
   * d/p/tests-fix-type-promotion-on-32-bit-arches.patch: add patch.
     (Closes: #1140793)
Checksums-Sha1:
 0fd0a6ec72371515b3ae04f78d06fbbb30cab5f1 3545 curl_8.21.0-2.dsc
 ec47cbca16e28c4c8b49da7668dc2a350fcfcd7d 65312 curl_8.21.0-2.debian.tar.xz
 3e65ef16d5f56ef79541f4cfc8b1d1f5244e1e67 12277 curl_8.21.0-2_amd64.buildinfo
Checksums-Sha256:
 86a8e0ce106d0bc28c3995f65fe73ac1b43f6660d3667477adda4e0affb8c6f4 3545 curl_8.21.0-2.dsc
 f767d84fa9827ccfa1fe1df68ca4cfc5b87f18d90631c0bb9d072eddda655922 65312 curl_8.21.0-2.debian.tar.xz
 1fafeef0c0fb3a8693ee0bb351b93738ac1dcda9b8dec3f0bd6c740c82991cd6 12277 curl_8.21.0-2_amd64.buildinfo
Files:
 38c83144cb5ce3bccc6a291ada90022e 3545 web optional curl_8.21.0-2.dsc
 ca1243fd0d5504c93af1127839370a03 65312 web optional curl_8.21.0-2.debian.tar.xz
 c74e8727b372d96f182777bdea183713 12277 web optional curl_8.21.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmpBoBEZHGNoYXJsZXNt
ZWxhcmFAcmlzZXVwLm5ldAAKCRC3gz2CAnyZC8V3D/9CSuy6uqd1c86YHHCnhHqA
Z2gfp+N4sHBpyq6L3wBbTFgc/XPgc9vBYiyF4xdU3VJsguhk3sJAJ3FBW/iGmfUT
1ZO+FDu6QeTniHuZmFKcFjZTHWd5MktDldcunKayua4ay9VmgY9nMgchAXAKe/gY
SoY5D5Ii2gK7zF+5d1deBKCrYcrDYVeSQIXhAbfJjzm1PoJuWHE3Gey6lQO2EXyq
djbSVp61JreeLKGqYv5rQ+Z60GO+xlIsC7fb9/9ALMawWhh9V2dA+LlKuclK676v
9FaK58hGXMeHo+o9/7AATb6z333pITlEiSCX/0hb/aVu4GUKmyaxrlM1L1AcMPqw
mO2jCDBnsaDJQtT0kh/CuGNnTaBbkY6hV0jJep2EONaZixMbMFYN0RVPB9tMvuu6
Yn+ZyUxsYXruGp6Q5exk4oh0zUW3PmVb0JzdarQseJKRb9b8NWfIltLXB+6ecdkv
og/1ofSHTwhd+i63PEwTvmd5NQiA8LD9TD9aGBJYoPmyAVfs3HCuPPPbntNuE7vH
XPXk+S6bgAtBZsnMLiEK5oybOsd8WGuzE2PZs8t0sfl/TUAqVJ//w0Q7HZEn3Dnj
xydur9YGyOkxcHUYKKmJ8LvjUI5CHNV6MXRAHU9uRehbm96Nkz/ZUih7D/Zam67Z
pwTxSo4yvmQz18UJNmG7NQ==
=otG7
-----END PGP SIGNATURE-----