From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Tue, 3 Sep 2019 22:59:32 +0200

Subject: [PATCH] security:read_data fix bad realloc()

... that could end up a double-free

CVE-2019-5481

Bug: https://curl.haxx.se/docs/CVE-2019-5481.html

Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/security.c | 6 ++----

 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/security.c b/lib/security.c

index 550ea2d..c5e4e13 100644

--- a/lib/security.c

+++ b/lib/security.c

@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,

                           struct krb5buffer *buf)

 {

   int len;

-  void *tmp = NULL;

   CURLcode result;

   result = socket_read(fd, &len, sizeof(len));

@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,

   if(len) {

     /* only realloc if there was a length */

     len = ntohl(len);

-    tmp = Curl_saferealloc(buf->data, len);

+    buf->data = Curl_saferealloc(buf->data, len);

   }

-  if(tmp == NULL)

+  if(!len || !buf->data)

     return CURLE_OUT_OF_MEMORY;

-  buf->data = tmp;

   result = socket_read(fd, buf->data, len);

   if(result)

     return result;

-- 

2.20.1