From f7aeff58a369d3cd2caac4f3becd7c683ba900c7 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 12 Mar 2021 02:34:03 +0100
Subject: [PATCH] cookies: Fix potential NULL pointer deref with PSL

Curl_cookie_init can be called with data being NULL, and this can in turn
be passed to Curl_cookie_add, meaning that both functions must be careful
to only use data where it's checked for being a NULL pointer.  The libpsl
support code does however dereference data without checking, so if we are
indeed having an unset data pointer we cannot PSL check the cookiedomain.

This is currently not a reachable dereference, as the only caller with a
NULL data isn't passing a file to initialize cookies from, but since the
API has this contract let's ensure we hold it.

Closes #6731
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
---
 lib/cookie.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/cookie.c b/lib/cookie.c
index 09fd092ac..c7229c001 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -951,8 +951,12 @@ Curl_cookie_add(struct Curl_easy *data,
     remove_expired(c);
 
 #ifdef USE_LIBPSL
-  /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
-  if(domain && co->domain && !isip(co->domain)) {
+  /*
+   * Check if the domain is a Public Suffix and if yes, ignore the cookie. We
+   * must also check that the data handle isn't NULL since the psl code will
+   * dereference it.
+   */
+  if(data && (domain && co->domain && !isip(co->domain))) {
     const psl_ctx_t *psl = Curl_psl_use(data);
     int acceptable;