aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorPaul Dreik <github@pauldreik.se>2019-10-03 10:57:09 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-10-03 15:43:50 +0200
commit13ecc0725f723ce7068c114610f6d1418945705a (patch)
treee3c3c0670873617b4fea2f8f180c174c6a3bf5eb /lib
parent0b386392d60360bd642e0f115249debea3367913 (diff)
cookie: avoid harmless use after free
This fix removes a use after free which can be triggered by the internal cookie fuzzer, but otherwise is probably impossible to trigger from an ordinary application. The following program reproduces it: curl_global_init(CURL_GLOBAL_DEFAULT); CURL* handle=curl_easy_init(); CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); Curl_flush_cookies(handle, true); Curl_cookie_cleanup(info); curl_easy_cleanup(handle); curl_global_cleanup(); This was found through fuzzing. Closes #4454
Diffstat (limited to 'lib')
-rw-r--r--lib/cookie.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index f6b52df2f..c6c4a7bdd 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1646,6 +1646,7 @@ void Curl_flush_cookies(struct Curl_easy *data, int cleanup)
if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
Curl_cookie_cleanup(data->cookies);
+ data->cookies = NULL;
}
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
}