diff options
author | Daniel Stenberg <daniel@haxx.se> | 2008-04-12 11:50:51 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2008-04-12 11:50:51 +0000 |
commit | 84eb9fee765d8614b5f4d56e1db3ea02322301fe (patch) | |
tree | 4dd31f6f98ecf8ba4d5b61786af3b2ad902952fd | |
parent | 79300cdcd988e65c37bd3d9b391cd7a73ebefc6b (diff) |
- Andre Guibert de Bruet found and fixed a case where malloc() was called but
was not checked for a NULL return, in the Negotiate code.
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | RELEASE-NOTES | 3 | ||||
-rw-r--r-- | lib/http_negotiate.c | 10 |
3 files changed, 14 insertions, 3 deletions
@@ -6,6 +6,10 @@ Changelog +Daniel Stenberg (12 Apr 2008) +- Andre Guibert de Bruet found and fixed a case where malloc() was called but + was not checked for a NULL return, in the Negotiate code. + Daniel Fandrich (9 Apr 2008) - Added test cases 1024 & 1025 to test a scenario similar to the one reported by Ben Combee where libcurl would send the wrong cookie to a redirected diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 85dc6e380..fbb1f901e 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -19,6 +19,7 @@ This release includes the following bugfixes: the confusion that could lead to a hung transfer o curl_easy_reset() resets the max redirect limit properly o configure now correctly recognizes Heimdal and MIT gssapi libraries + o malloc() failure check in Negotiate This release includes the following known bugs: @@ -36,6 +37,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Michal Marek, Daniel Fandrich, Scott Barrett, Alexey Simak, Daniel Black, - Rafa Muyo + Rafa Muyo, Andre Guibert de Bruet Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f4aab7de4..ac8ad5802 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -116,6 +116,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } +/* returning zero (0) means success, everything else is treated as "failure" + with no care exactly what the failure was */ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { @@ -185,9 +187,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, unsigned char * mechToken = NULL; size_t mechTokenLength = 0; - spnegoToken = malloc(input_token.length); if(input_token.value == NULL) - return ENOMEM; + return CURLE_OUT_OF_MEMORY; + + spnegoToken = malloc(input_token.length); + if(spnegoToken == NULL) + return CURLE_OUT_OF_MEMORY; + spnegoTokenLength = input_token.length; object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); |