Permalink
Browse files

Curl_close: clear data->multi_easy on free to avoid use-after-free

Regression from b46cfbc (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
  • Loading branch information...
bagder committed Oct 18, 2018
1 parent 9d8dad1 commit 81d135d67155c5295b1033679c606165d4e28f3f
Showing with 3 additions and 1 deletion.
  1. +3 −1 lib/url.c
View
@@ -331,10 +331,12 @@ CURLcode Curl_close(struct Curl_easy *data)
and detach this handle from there. */
curl_multi_remove_handle(data->multi, data);
if(data->multi_easy)
if(data->multi_easy) {
/* when curl_easy_perform() is used, it creates its own multi handle to
use and this is the one */
curl_multi_cleanup(data->multi_easy);
data->multi_easy = NULL;
}
/* Destroy the timeout list that is held in the easy handle. It is
/normally/ done by curl_multi_remove_handle() but this is "just in

0 comments on commit 81d135d

Please sign in to comment.