diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-12-13 12:27:49 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-12-13 13:01:01 +0100 |
commit | 68ffe6c17d6e44b459d60805813f646d244a186b (patch) | |
tree | fa0f71c15b72519df9919e227289d82d93e3a672 /lib | |
parent | 86f9c67629599a8da299cf3981f82878a39dca09 (diff) |
ntlm_wb: fix double-free in OOM
Detected by torture testing test 1310
Closes #4710
Diffstat (limited to 'lib')
-rw-r--r-- | lib/curl_ntlm_wb.c | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c index 80266e2a4..30b54de44 100644 --- a/lib/curl_ntlm_wb.c +++ b/lib/curl_ntlm_wb.c @@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn) conn->ntlm_auth_hlpr_pid = 0; } - free(conn->challenge_header); - conn->challenge_header = NULL; - free(conn->response_header); - conn->response_header = NULL; + Curl_safefree(conn->challenge_header); + Curl_safefree(conn->response_header); } static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp) @@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, struct auth *authp; CURLcode res = CURLE_OK; - char *input; DEBUGASSERT(conn); DEBUGASSERT(conn->data); @@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, proxy ? "Proxy-" : "", conn->response_header); DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd)); - free(conn->response_header); + Curl_safefree(conn->response_header); if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; - conn->response_header = NULL; break; - case NTLMSTATE_TYPE2: - input = aprintf("TT %s\n", conn->challenge_header); + case NTLMSTATE_TYPE2: { + char *input = aprintf("TT %s\n", conn->challenge_header); if(!input) return CURLE_OUT_OF_MEMORY; res = ntlm_wb_response(conn, input, *state); free(input); - input = NULL; if(res) return res; @@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; break; - + } case NTLMSTATE_TYPE3: /* connection is already authenticated, * don't send a header in future requests */ |