From 3d6460edeee21d7d790ec570d0887bed1f4366dd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 28 Sep 2016 12:56:02 +0200 Subject: [PATCH] krb5: avoid realloc(0) If the requested size is zero, bail out with error instead of doing a realloc() that would cause a double-free: realloc(0) acts as a free() and then there's a second free in the cleanup path. CVE-2016-8619 Bug: https://curl.haxx.se/docs/adv_20161102E.html Reported-by: Cure53 --- lib/security.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/security.c b/lib/security.c index a268d4a62..4cef8f89f 100644 --- a/lib/security.c +++ b/lib/security.c @@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn, struct krb5buffer *buf) { int len; - void* tmp; + void *tmp = NULL; CURLcode result; result = socket_read(fd, &len, sizeof(len)); if(result) return result; - len = ntohl(len); - tmp = realloc(buf->data, len); + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); + tmp = realloc(buf->data, len); + } if(tmp == NULL) return CURLE_OUT_OF_MEMORY;