Skip to content
Permalink
Browse files

cookie: avoid harmless use after free

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

Closes #4454
  • Loading branch information...
pauldreik authored and bagder committed Oct 3, 2019
1 parent 0b38639 commit 13ecc0725f723ce7068c114610f6d1418945705a
Showing with 1 addition and 0 deletions.
  1. +1 −0 lib/cookie.c
@@ -1646,6 +1646,7 @@ void Curl_flush_cookies(struct Curl_easy *data, int cleanup)

if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
Curl_cookie_cleanup(data->cookies);
data->cookies = NULL;
}
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
}

0 comments on commit 13ecc07

Please sign in to comment.
You can’t perform that action at this time.