rpms / curl

Clone
Source Code
GIT

Blame SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f5da4f1c2ebcfb7c675dce993d81ea0245ed5e1b
  2.   SOURCES
  3.   0019-curl-7.65.3-CVE-2019-5481.patch
Blob History Raw
3bb8f6 
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
3bb8f6 
From: Daniel Stenberg <daniel@haxx.se>
3bb8f6 
Date: Tue, 3 Sep 2019 22:59:32 +0200
3bb8f6 
Subject: [PATCH] security:read_data fix bad realloc()
3bb8f6
3bb8f6 
... that could end up a double-free
3bb8f6
3bb8f6 
CVE-2019-5481
3bb8f6 
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
3bb8f6
3bb8f6 
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
3bb8f6 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
3bb8f6 
---
3bb8f6 
 lib/security.c | 6 ++----
3bb8f6 
 1 file changed, 2 insertions(+), 4 deletions(-)
3bb8f6
3bb8f6 
diff --git a/lib/security.c b/lib/security.c
3bb8f6 
index 550ea2d..c5e4e13 100644
3bb8f6 
--- a/lib/security.c
3bb8f6 
+++ b/lib/security.c
3bb8f6 
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
3bb8f6 
                           struct krb5buffer *buf)
3bb8f6 
 {
3bb8f6 
   int len;
3bb8f6 
-  void *tmp = NULL;
3bb8f6 
   CURLcode result;
3bb8f6
3bb8f6 
   result = socket_read(fd, &len, sizeof(len));
3bb8f6 
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
3bb8f6 
   if(len) {
3bb8f6 
     /* only realloc if there was a length */
3bb8f6 
     len = ntohl(len);
3bb8f6 
-    tmp = Curl_saferealloc(buf->data, len);
3bb8f6 
+    buf->data = Curl_saferealloc(buf->data, len);
3bb8f6 
   }
3bb8f6 
-  if(tmp == NULL)
3bb8f6 
+  if(!len || !buf->data)
3bb8f6 
     return CURLE_OUT_OF_MEMORY;
3bb8f6
3bb8f6 
-  buf->data = tmp;
3bb8f6 
   result = socket_read(fd, buf->data, len);
3bb8f6 
   if(result)
3bb8f6 
     return result;
3bb8f6 
--
3bb8f6 
2.20.1
3bb8f6

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation