moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

Curl_close: clear data->multi_easy on free to avoid use-after-free 

Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
This commit is contained in:
Daniel Stenberg 2018-10-18 15:07:15 +02:00
parent 9d8dad1a9d
commit 81d135d671
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/url.c
View File

@ -331,10 +331,12 @@ CURLcode Curl_close(struct Curl_easy *data)
and detach this handle from there. */
curl_multi_remove_handle(data->multi, data);
if(data->multi_easy)
if(data->multi_easy) {
/* when curl_easy_perform() is used, it creates its own multi handle to
use and this is the one */
curl_multi_cleanup(data->multi_easy);
data->multi_easy = NULL;
}
/* Destroy the timeout list that is held in the easy handle. It is
/normally/ done by curl_multi_remove_handle() but this is "just in