moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 14:05:03 -05:00
Code Issues Releases Wiki Activity

cookie: Guard against possible NULL ptr deref

Browse Source 
In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
This commit is contained in:
Daniel Gustafsson 2019-05-01 13:14:15 +02:00
parent b898b4c06c
commit b45fd8938e
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cookie.c
View File

@ -874,11 +874,13 @@ Curl_cookie_add(struct Curl_easy *data,
co->name = strdup(ptr); co->name = strdup(ptr);
if(!co->name) if(!co->name)
badcookie = TRUE; badcookie = TRUE;
else {
/* For Netscape file format cookies we check prefix on the name */ /* For Netscape file format cookies we check prefix on the name */
if(strncasecompare("__Secure-", co->name, 9)) if(strncasecompare("__Secure-", co->name, 9))
co->prefix |= COOKIE_PREFIX__SECURE; co->prefix |= COOKIE_PREFIX__SECURE;
else if(strncasecompare("__Host-", co->name, 7)) else if(strncasecompare("__Host-", co->name, 7))
co->prefix |= COOKIE_PREFIX__HOST; co->prefix |= COOKIE_PREFIX__HOST;
}
break; break;
case 6: case 6:
co->value = strdup(ptr); co->value = strdup(ptr);