50 lines
1.3 KiB
Diff
50 lines
1.3 KiB
Diff
|
From 47736feee3eb92b3527237316f60c880421bbce4 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Wed, 28 Sep 2016 12:56:02 +0200
|
||
|
Subject: [PATCH] krb5: avoid realloc(0)
|
||
|
|
||
|
If the requested size is zero, bail out with error instead of doing a
|
||
|
realloc() that would cause a double-free: realloc(0) acts as a free()
|
||
|
and then there's a second free in the cleanup path.
|
||
|
|
||
|
CVE-2016-8619
|
||
|
|
||
|
Bug: https://curl.haxx.se/docs/adv_20161102E.html
|
||
|
Reported-by: Cure53
|
||
|
|
||
|
Upstream-commit: 3d6460edeee21d7d790ec570d0887bed1f4366dd
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/security.c | 9 ++++++---
|
||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/lib/security.c b/lib/security.c
|
||
|
index 014bbf1..74d924c 100644
|
||
|
--- a/lib/security.c
|
||
|
+++ b/lib/security.c
|
||
|
@@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn,
|
||
|
struct krb5buffer *buf)
|
||
|
{
|
||
|
int len;
|
||
|
- void* tmp;
|
||
|
+ void *tmp = NULL;
|
||
|
CURLcode result;
|
||
|
|
||
|
result = socket_read(fd, &len, sizeof(len));
|
||
|
if(result)
|
||
|
return result;
|
||
|
|
||
|
- len = ntohl(len);
|
||
|
- tmp = realloc(buf->data, len);
|
||
|
+ if(len) {
|
||
|
+ /* only realloc if there was a length */
|
||
|
+ len = ntohl(len);
|
||
|
+ tmp = realloc(buf->data, len);
|
||
|
+ }
|
||
|
if(tmp == NULL)
|
||
|
return CURLE_OUT_OF_MEMORY;
|
||
|
|
||
|
--
|
||
|
2.7.4
|
||
|
|