3 files changed, 14 insertions, 3 deletions

diff --git a/CHANGES b/CHANGES
index cc6ae31cf..6d28e453e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@
 
                                   Changelog
 
+Daniel Stenberg (12 Apr 2008)
+- Andre Guibert de Bruet found and fixed a case where malloc() was called but
+  was not checked for a NULL return, in the Negotiate code.
+
 Daniel Fandrich (9 Apr 2008)
 - Added test cases 1024 & 1025 to test a scenario similar to the one reported
   by Ben Combee where libcurl would send the wrong cookie to a redirected
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 85dc6e380..fbb1f901e 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
    the confusion that could lead to a hung transfer
  o curl_easy_reset() resets the max redirect limit properly
  o configure now correctly recognizes Heimdal and MIT gssapi libraries
+ o malloc() failure check in Negotiate
 
 This release includes the following known bugs:
 
@@ -36,6 +37,6 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
  Michal Marek, Daniel Fandrich, Scott Barrett, Alexey Simak, Daniel Black,
- Rafa Muyo
+ Rafa Muyo, Andre Guibert de Bruet
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index f4aab7de4..ac8ad5802 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -116,6 +116,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix)
   infof(conn->data, "%s", buf);
 }
 
+/* returning zero (0) means success, everything else is treated as "failure"
+   with no care exactly what the failure was */
 int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                          const char *header)
 {
@@ -185,9 +187,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
         unsigned char * mechToken         = NULL;
         size_t          mechTokenLength   = 0;
 
-        spnegoToken = malloc(input_token.length);
         if(input_token.value == NULL)
-          return ENOMEM;
+          return CURLE_OUT_OF_MEMORY;
+
+        spnegoToken = malloc(input_token.length);
+        if(spnegoToken == NULL)
+          return CURLE_OUT_OF_MEMORY;
+
         spnegoTokenLength = input_token.length;
 
         object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);