Skip to content
Permalink
Browse files

security:read_data fix bad realloc()

... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
  • Loading branch information...
bagder committed Sep 3, 2019
1 parent facb0e4 commit 9069838b30fb3b48af0123e39f664cea683254a5
Showing with 2 additions and 4 deletions.
  1. +2 −4 lib/security.c
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
struct krb5buffer *buf)
{
int len;
void *tmp = NULL;
CURLcode result;

result = socket_read(fd, &len, sizeof(len));
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
tmp = Curl_saferealloc(buf->data, len);
buf->data = Curl_saferealloc(buf->data, len);
}
if(tmp == NULL)
if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;

buf->data = tmp;
result = socket_read(fd, buf->data, len);
if(result)
return result;

0 comments on commit 9069838

Please sign in to comment.
You can’t perform that action at this time.