diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-09-03 22:59:32 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-09 08:14:34 +0200 |
commit | 9069838b30fb3b48af0123e39f664cea683254a5 (patch) | |
tree | 536cf19a8b79e3a17b83fc30785d72d85849dd58 | |
parent | facb0e4662415b5f28163e853dc6742ac5fafb3d (diff) |
security:read_data fix bad realloc()
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
-rw-r--r-- | lib/security.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/security.c b/lib/security.c index 550ea2da8..c5e4e135d 100644 --- a/lib/security.c +++ b/lib/security.c @@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, struct krb5buffer *buf) { int len; - void *tmp = NULL; CURLcode result; result = socket_read(fd, &len, sizeof(len)); @@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, if(len) { /* only realloc if there was a length */ len = ntohl(len); - tmp = Curl_saferealloc(buf->data, len); + buf->data = Curl_saferealloc(buf->data, len); } - if(tmp == NULL) + if(!len || !buf->data) return CURLE_OUT_OF_MEMORY; - buf->data = tmp; result = socket_read(fd, buf->data, len); if(result) return result; |