From 28bd29aac47982ff0453c416de498733bf4053d5 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 Mar 2023 17:55:18 +0100 Subject: [PATCH 1/3] tlv: do not leak on allocation failure in curl_slist_append --- curl_fuzzer_tlv.cc | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/curl_fuzzer_tlv.cc b/curl_fuzzer_tlv.cc index 4bb151f2..b2366099 100644 --- a/curl_fuzzer_tlv.cc +++ b/curl_fuzzer_tlv.cc @@ -100,6 +100,7 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) int rc; char *tmp = NULL; uint32_t tmp_u32; + curl_slist *new_list; switch(tlv->type) { /* The pointers in response TLVs will always be valid as long as the fuzz @@ -143,14 +144,21 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) } tmp = fuzz_tlv_to_string(tlv); - fuzz->header_list = curl_slist_append(fuzz->header_list, tmp); + new_list = curl_slist_append(fuzz->header_list, tmp); + if (new_list == NULL) { + // keep on despite allocation failure + break; + } + fuzz->header_list = new_list; fuzz->header_list_count++; break; case TLV_TYPE_MAIL_RECIPIENT: tmp = fuzz_tlv_to_string(tlv); - fuzz->mail_recipients_list = - curl_slist_append(fuzz->mail_recipients_list, tmp); + new_list = curl_slist_append(fuzz->mail_recipients_list, tmp); + if (new_list != NULL) { + fuzz->mail_recipients_list = new_list; + } break; case TLV_TYPE_MIME_PART: From 07f096ededec9535c53d5492fee4c3382478c04f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 Mar 2023 18:11:57 +0100 Subject: [PATCH 2/3] fixup! tlv: do not leak on allocation failure in curl_slist_append --- curl_fuzzer_tlv.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/curl_fuzzer_tlv.cc b/curl_fuzzer_tlv.cc index b2366099..b4ba7668 100644 --- a/curl_fuzzer_tlv.cc +++ b/curl_fuzzer_tlv.cc @@ -144,9 +144,12 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) } tmp = fuzz_tlv_to_string(tlv); + if (tmp == NULL) { + // keep on despite allocation failure + break; + } new_list = curl_slist_append(fuzz->header_list, tmp); if (new_list == NULL) { - // keep on despite allocation failure break; } fuzz->header_list = new_list; @@ -155,6 +158,10 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) case TLV_TYPE_MAIL_RECIPIENT: tmp = fuzz_tlv_to_string(tlv); + if (tmp == NULL) { + // keep on despite allocation failure + break; + } new_list = curl_slist_append(fuzz->mail_recipients_list, tmp); if (new_list != NULL) { fuzz->mail_recipients_list = new_list; From bf88eb6ece4e6c06ec7544d56aca879e04b1e1f9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 7 Mar 2023 20:27:57 +0100 Subject: [PATCH 3/3] fixup! fixup! tlv: do not leak on allocation failure in curl_slist_append --- curl_fuzzer_tlv.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl_fuzzer_tlv.cc b/curl_fuzzer_tlv.cc index b4ba7668..62e6be8c 100644 --- a/curl_fuzzer_tlv.cc +++ b/curl_fuzzer_tlv.cc @@ -270,6 +270,9 @@ void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv) struct curl_httppost *last = NULL; fuzz->post_body = fuzz_tlv_to_string(tlv); + if (fuzz->post_body == NULL) { + return; + } /* This is just one of several possible entrypoints to * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html