|
 |
b4d5e8 |
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
|
|
|
b4d5e8 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
b4d5e8 |
Date: Tue, 3 Sep 2019 22:59:32 +0200
|
|
|
b4d5e8 |
Subject: [PATCH] security:read_data fix bad realloc()
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
... that could end up a double-free
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
CVE-2019-5481
|
|
|
b4d5e8 |
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
|
|
|
b4d5e8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
b4d5e8 |
---
|
|
|
b4d5e8 |
lib/security.c | 6 ++----
|
|
|
b4d5e8 |
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
diff --git a/lib/security.c b/lib/security.c
|
|
|
b4d5e8 |
index 550ea2d..c5e4e13 100644
|
|
|
b4d5e8 |
--- a/lib/security.c
|
|
|
b4d5e8 |
+++ b/lib/security.c
|
|
|
b4d5e8 |
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
|
|
b4d5e8 |
struct krb5buffer *buf)
|
|
|
b4d5e8 |
{
|
|
|
b4d5e8 |
int len;
|
|
|
b4d5e8 |
- void *tmp = NULL;
|
|
|
b4d5e8 |
CURLcode result;
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
result = socket_read(fd, &len, sizeof(len));
|
|
|
b4d5e8 |
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
|
|
b4d5e8 |
if(len) {
|
|
|
b4d5e8 |
/* only realloc if there was a length */
|
|
|
b4d5e8 |
len = ntohl(len);
|
|
|
b4d5e8 |
- tmp = Curl_saferealloc(buf->data, len);
|
|
|
b4d5e8 |
+ buf->data = Curl_saferealloc(buf->data, len);
|
|
|
b4d5e8 |
}
|
|
|
b4d5e8 |
- if(tmp == NULL)
|
|
|
b4d5e8 |
+ if(!len || !buf->data)
|
|
|
b4d5e8 |
return CURLE_OUT_OF_MEMORY;
|
|
|
b4d5e8 |
|
|
|
b4d5e8 |
- buf->data = tmp;
|
|
|
b4d5e8 |
result = socket_read(fd, buf->data, len);
|
|
|
b4d5e8 |
if(result)
|
|
|
b4d5e8 |
return result;
|
|
|
b4d5e8 |
--
|
|
|
b4d5e8 |
2.20.1
|
|
|
b4d5e8 |
|