aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-12-13 12:27:49 +0100
committerDaniel Stenberg <daniel@haxx.se>2019-12-13 13:01:01 +0100
commit68ffe6c17d6e44b459d60805813f646d244a186b (patch)
treefa0f71c15b72519df9919e227289d82d93e3a672 /lib
parent86f9c67629599a8da299cf3981f82878a39dca09 (diff)
ntlm_wb: fix double-free in OOM
Detected by torture testing test 1310 Closes #4710
Diffstat (limited to 'lib')
-rw-r--r--lib/curl_ntlm_wb.c17
1 files changed, 6 insertions, 11 deletions
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 80266e2a4..30b54de44 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
conn->ntlm_auth_hlpr_pid = 0;
}
- free(conn->challenge_header);
- conn->challenge_header = NULL;
- free(conn->response_header);
- conn->response_header = NULL;
+ Curl_safefree(conn->challenge_header);
+ Curl_safefree(conn->response_header);
}
static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
@@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
struct auth *authp;
CURLcode res = CURLE_OK;
- char *input;
DEBUGASSERT(conn);
DEBUGASSERT(conn->data);
@@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
proxy ? "Proxy-" : "",
conn->response_header);
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
- free(conn->response_header);
+ Curl_safefree(conn->response_header);
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
- conn->response_header = NULL;
break;
- case NTLMSTATE_TYPE2:
- input = aprintf("TT %s\n", conn->challenge_header);
+ case NTLMSTATE_TYPE2: {
+ char *input = aprintf("TT %s\n", conn->challenge_header);
if(!input)
return CURLE_OUT_OF_MEMORY;
res = ntlm_wb_response(conn, input, *state);
free(input);
- input = NULL;
if(res)
return res;
@@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
break;
-
+ }
case NTLMSTATE_TYPE3:
/* connection is already authenticated,
* don't send a header in future requests */