moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

ntlm_wb: fix double-free in OOM 

Detected by torture testing test 1310

Closes #4710
This commit is contained in:
Daniel Stenberg 2019-12-13 12:27:49 +01:00
parent 86f9c67629
commit 68ffe6c17d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/curl_ntlm_wb.c
View File

@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
conn->ntlm_auth_hlpr_pid = 0;
}
free(conn->challenge_header);
conn->challenge_header = NULL;
free(conn->response_header);
conn->response_header = NULL;
Curl_safefree(conn->challenge_header);
Curl_safefree(conn->response_header);
}
static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
struct auth *authp;
CURLcode res = CURLE_OK;
char *input;
DEBUGASSERT(conn);
DEBUGASSERT(conn->data);
@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
proxy ? "Proxy-" : "",
conn->response_header);
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
free(conn->response_header);
Curl_safefree(conn->response_header);
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
conn->response_header = NULL;
break;
case NTLMSTATE_TYPE2:
input = aprintf("TT %s\n", conn->challenge_header);
case NTLMSTATE_TYPE2: {
char *input = aprintf("TT %s\n", conn->challenge_header);
if(!input)
return CURLE_OUT_OF_MEMORY;
res = ntlm_wb_response(conn, input, *state);
free(input);
input = NULL;
if(res)
return res;
@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
break;
}
case NTLMSTATE_TYPE3:
/* connection is already authenticated,
* don't send a header in future requests */