diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-09-28 12:56:02 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-31 08:46:35 +0100 |
commit | 3d6460edeee21d7d790ec570d0887bed1f4366dd (patch) | |
tree | 65703bcc26fae14358ff6d5653eebe5b013ecaa1 | |
parent | 8732ec40db652c53fa58cd13e2acb8eab6e40874 (diff) |
krb5: avoid realloc(0)
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
CVE-2016-8619
Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
-rw-r--r-- | lib/security.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/security.c b/lib/security.c index a268d4a62..4cef8f89f 100644 --- a/lib/security.c +++ b/lib/security.c @@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn, struct krb5buffer *buf) { int len; - void* tmp; + void *tmp = NULL; CURLcode result; result = socket_read(fd, &len, sizeof(len)); if(result) return result; - len = ntohl(len); - tmp = realloc(buf->data, len); + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); + tmp = realloc(buf->data, len); + } if(tmp == NULL) return CURLE_OUT_OF_MEMORY; |