You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
curl/SOURCES/0019-curl-7.65.3-CVE-2019-5...

47 lines
1.3 KiB

From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 Sep 2019 22:59:32 +0200
Subject: [PATCH] security:read_data fix bad realloc()
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/security.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/security.c b/lib/security.c
index 550ea2d..c5e4e13 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
struct krb5buffer *buf)
{
int len;
- void *tmp = NULL;
CURLcode result;
result = socket_read(fd, &len, sizeof(len));
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- tmp = Curl_saferealloc(buf->data, len);
+ buf->data = Curl_saferealloc(buf->data, len);
}
- if(tmp == NULL)
+ if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
- buf->data = tmp;
result = socket_read(fd, buf->data, len);
if(result)
return result;
--
2.20.1