1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-12 22:48:02 -05:00

http: fix memleak in rewind error path

If the rewind would fail, a strdup() would not get freed.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
This commit is contained in:
Daniel Stenberg 2018-09-25 07:49:35 +02:00
parent 16fefeee1e
commit 4058cf2a7f
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -537,14 +537,6 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
} }
if(pickhost || pickproxy) { if(pickhost || pickproxy) {
/* In case this is GSS auth, the newurl field is already allocated so
we must make sure to free it before allocating a new one. As figured
out in bug #2284386 */
Curl_safefree(data->req.newurl);
data->req.newurl = strdup(data->change.url); /* clone URL */
if(!data->req.newurl)
return CURLE_OUT_OF_MEMORY;
if((data->set.httpreq != HTTPREQ_GET) && if((data->set.httpreq != HTTPREQ_GET) &&
(data->set.httpreq != HTTPREQ_HEAD) && (data->set.httpreq != HTTPREQ_HEAD) &&
!conn->bits.rewindaftersend) { !conn->bits.rewindaftersend) {
@ -552,6 +544,13 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
if(result) if(result)
return result; return result;
} }
/* In case this is GSS auth, the newurl field is already allocated so
we must make sure to free it before allocating a new one. As figured
out in bug #2284386 */
Curl_safefree(data->req.newurl);
data->req.newurl = strdup(data->change.url); /* clone URL */
if(!data->req.newurl)
return CURLE_OUT_OF_MEMORY;
} }
else if((data->req.httpcode < 300) && else if((data->req.httpcode < 300) &&
(!data->state.authhost.done) && (!data->state.authhost.done) &&