mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
nss: fix a possible use-after-free in SelectClientCert()
... causing a SIGSEGV in showit() in case the handle used to initiate the connection has already been freed. This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803. Reported-by: Rob Sanders Bug: https://bugzilla.redhat.com/1436158
This commit is contained in:
parent
c89eb6d0f8
commit
42a4cd4c78
@ -2184,6 +2184,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
ssize_t rc;
|
||||
|
||||
/* The SelectClientCert() hook uses this for infof() and failf() but the
|
||||
handle stored in nss_setup_connect() could have already been freed. */
|
||||
connssl->data = conn->data;
|
||||
|
||||
rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
|
||||
if(rc < 0) {
|
||||
PRInt32 err = PR_GetError();
|
||||
@ -2217,6 +2221,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
ssize_t nread;
|
||||
|
||||
/* The SelectClientCert() hook uses this for infof() and failf() but the
|
||||
handle stored in nss_setup_connect() could have already been freed. */
|
||||
connssl->data = conn->data;
|
||||
|
||||
nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
|
||||
PR_INTERVAL_NO_WAIT);
|
||||
if(nread < 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user