aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2008-04-12 11:50:51 +0000
committerDaniel Stenberg <daniel@haxx.se>2008-04-12 11:50:51 +0000
commit84eb9fee765d8614b5f4d56e1db3ea02322301fe (patch)
tree4dd31f6f98ecf8ba4d5b61786af3b2ad902952fd
parent79300cdcd988e65c37bd3d9b391cd7a73ebefc6b (diff)
- Andre Guibert de Bruet found and fixed a case where malloc() was called but
was not checked for a NULL return, in the Negotiate code.
-rw-r--r--CHANGES4
-rw-r--r--RELEASE-NOTES3
-rw-r--r--lib/http_negotiate.c10
3 files changed, 14 insertions, 3 deletions
diff --git a/CHANGES b/CHANGES
index cc6ae31cf..6d28e453e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@
Changelog
+Daniel Stenberg (12 Apr 2008)
+- Andre Guibert de Bruet found and fixed a case where malloc() was called but
+ was not checked for a NULL return, in the Negotiate code.
+
Daniel Fandrich (9 Apr 2008)
- Added test cases 1024 & 1025 to test a scenario similar to the one reported
by Ben Combee where libcurl would send the wrong cookie to a redirected
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 85dc6e380..fbb1f901e 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
the confusion that could lead to a hung transfer
o curl_easy_reset() resets the max redirect limit properly
o configure now correctly recognizes Heimdal and MIT gssapi libraries
+ o malloc() failure check in Negotiate
This release includes the following known bugs:
@@ -36,6 +37,6 @@ This release would not have looked like this without help, code, reports and
advice from friends like these:
Michal Marek, Daniel Fandrich, Scott Barrett, Alexey Simak, Daniel Black,
- Rafa Muyo
+ Rafa Muyo, Andre Guibert de Bruet
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index f4aab7de4..ac8ad5802 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -116,6 +116,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix)
infof(conn->data, "%s", buf);
}
+/* returning zero (0) means success, everything else is treated as "failure"
+ with no care exactly what the failure was */
int Curl_input_negotiate(struct connectdata *conn, bool proxy,
const char *header)
{
@@ -185,9 +187,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
unsigned char * mechToken = NULL;
size_t mechTokenLength = 0;
- spnegoToken = malloc(input_token.length);
if(input_token.value == NULL)
- return ENOMEM;
+ return CURLE_OUT_OF_MEMORY;
+
+ spnegoToken = malloc(input_token.length);
+ if(spnegoToken == NULL)
+ return CURLE_OUT_OF_MEMORY;
+
spnegoTokenLength = input_token.length;
object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);