smtp: Fixed inappropriate free of the scratch buffer

If the scratch buffer was allocated in a previous call to Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent call and no action taken by that call, then an attempt would be made to try and free the buffer which, by now, would be part of the data->state structure. This bug was introduced in commit 4bd860a.
curl · Dec 12, 2014 · 8a4ce7d · 8a4ce7d
1 parent f0ecdd0
commit 8a4ce7d
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/lib/smtp.c b/lib/smtp.c
@@ -2321,15 +2321,16 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
   struct SessionHandle *data = conn->data;
   struct SMTP *smtp = data->req.protop;
   char *scratch = data->state.scratch;
+  char *newscratch = NULL;
   char *oldscratch = NULL;
   size_t eob_sent;
 
   /* Do we need to allocate a scratch buffer? */
   if(!scratch || data->set.crlf) {
     oldscratch = scratch;
 
-    scratch = malloc(2 * BUFSIZE);
-    if(!scratch) {
+    scratch = newscratch = malloc(2 * BUFSIZE);
+    if(!newscratch) {
       failf(data, "Failed to alloc scratch buffer!");
 
       return CURLE_OUT_OF_MEMORY;
@@ -2401,7 +2402,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
     data->req.upload_present = si;
   }
   else
-    Curl_safefree(scratch);
+    Curl_safefree(newscratch);
 
   return CURLE_OK;
 }