aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2014-12-12 18:55:16 +0000
committerSteve Holme <steve_holme@hotmail.com>2014-12-12 19:15:10 +0000
commit8a4ce7d0f5322f22d9b45539b06750dc5c9641b2 (patch)
tree9fa21d54d216b2a45523b54db2cb95d10d0cc610
parentf0ecdd04d3cd3c8814a296c3a9d2211086b7abd8 (diff)
smtp: Fixed inappropriate free of the scratch buffer
If the scratch buffer was allocated in a previous call to Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent call and no action taken by that call, then an attempt would be made to try and free the buffer which, by now, would be part of the data->state structure. This bug was introduced in commit 4bd860a001.
-rw-r--r--lib/smtp.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/smtp.c b/lib/smtp.c
index 5c0b0a495..7b0080606 100644
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -2321,6 +2321,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
struct SessionHandle *data = conn->data;
struct SMTP *smtp = data->req.protop;
char *scratch = data->state.scratch;
+ char *newscratch = NULL;
char *oldscratch = NULL;
size_t eob_sent;
@@ -2328,8 +2329,8 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
if(!scratch || data->set.crlf) {
oldscratch = scratch;
- scratch = malloc(2 * BUFSIZE);
- if(!scratch) {
+ scratch = newscratch = malloc(2 * BUFSIZE);
+ if(!newscratch) {
failf(data, "Failed to alloc scratch buffer!");
return CURLE_OUT_OF_MEMORY;
@@ -2401,7 +2402,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
data->req.upload_present = si;
}
else
- Curl_safefree(scratch);
+ Curl_safefree(newscratch);
return CURLE_OK;
}