mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 17:18:48 -05:00
security:read_data fix bad realloc()
... that could end up a double-free CVE-2019-5481 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
This commit is contained in:
parent
facb0e4662
commit
9069838b30
@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
|||||||
struct krb5buffer *buf)
|
struct krb5buffer *buf)
|
||||||
{
|
{
|
||||||
int len;
|
int len;
|
||||||
void *tmp = NULL;
|
|
||||||
CURLcode result;
|
CURLcode result;
|
||||||
|
|
||||||
result = socket_read(fd, &len, sizeof(len));
|
result = socket_read(fd, &len, sizeof(len));
|
||||||
@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
|||||||
if(len) {
|
if(len) {
|
||||||
/* only realloc if there was a length */
|
/* only realloc if there was a length */
|
||||||
len = ntohl(len);
|
len = ntohl(len);
|
||||||
tmp = Curl_saferealloc(buf->data, len);
|
buf->data = Curl_saferealloc(buf->data, len);
|
||||||
}
|
}
|
||||||
if(tmp == NULL)
|
if(!len || !buf->data)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
buf->data = tmp;
|
|
||||||
result = socket_read(fd, buf->data, len);
|
result = socket_read(fd, buf->data, len);
|
||||||
if(result)
|
if(result)
|
||||||
return result;
|
return result;
|
||||||
|
Loading…
Reference in New Issue
Block a user