moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-04 08:35:05 -05:00
Code Issues Releases Wiki Activity

ntlm_wb: fix double-free in OOM

Browse Source 
Detected by torture testing test 1310

Closes #4710
This commit is contained in:
Daniel Stenberg 2019-12-13 12:27:49 +01:00
parent 86f9c67629
commit 68ffe6c17d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/curl_ntlm_wb.c
View File

@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
conn->ntlm_auth_hlpr_pid = 0; conn->ntlm_auth_hlpr_pid = 0;
} }
free(conn->challenge_header); Curl_safefree(conn->challenge_header);
conn->challenge_header = NULL; Curl_safefree(conn->response_header);
free(conn->response_header);
conn->response_header = NULL;
} }
static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp) static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
struct auth *authp; struct auth *authp;
CURLcode res = CURLE_OK; CURLcode res = CURLE_OK;
char *input;
DEBUGASSERT(conn); DEBUGASSERT(conn);
DEBUGASSERT(conn->data); DEBUGASSERT(conn->data);
@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
proxy ? "Proxy-" : "", proxy ? "Proxy-" : "",
conn->response_header); conn->response_header);
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd)); DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
free(conn->response_header); Curl_safefree(conn->response_header);
if(!*allocuserpwd) if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
conn->response_header = NULL;
break; break;
case NTLMSTATE_TYPE2: case NTLMSTATE_TYPE2: {
input = aprintf("TT %s\n", conn->challenge_header); char *input = aprintf("TT %s\n", conn->challenge_header);
if(!input) if(!input)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
res = ntlm_wb_response(conn, input, *state); res = ntlm_wb_response(conn, input, *state);
free(input); free(input);
input = NULL;
if(res) if(res)
return res; return res;
@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
if(!*allocuserpwd) if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
break; break;
}
case NTLMSTATE_TYPE3: case NTLMSTATE_TYPE3:
/* connection is already authenticated, /* connection is already authenticated,
* don't send a header in future requests */ * don't send a header in future requests */