New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Free data->state.formp when Curl_getformdata return non-zero value #12419
Conversation
lib/http.c
Outdated
@@ -3260,7 +3260,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) | |||
|
|||
result = Curl_http_body(data, conn, httpreq, &te); | |||
if(result) | |||
{ | |||
if (data->state.formp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for an if()
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But do follow the code style, as otherwise the CI jobs will be sad.
I propose this slightly different version, which frees the pointer closer to where the error happens: From 5b2a4caf7b3cff535df3f146eeec6bc7cfdc6259 Mon Sep 17 00:00:00 2001
From: yushicheng7788 <lance.yu@zoom.us>
Date: Tue, 28 Nov 2023 15:49:49 +0800
Subject: [PATCH] Curl_http_body: Free data->state.formp when Curl_getformdata
errors
Fixes #12410
---
lib/http.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/http.c b/lib/http.c
index 45748dd29..be6d442e8 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -2437,12 +2437,14 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
if(!data->state.formp)
return CURLE_OUT_OF_MEMORY;
Curl_mime_cleanpart(data->state.formp);
result = Curl_getformdata(data, data->state.formp, data->set.httppost,
data->state.fread_func);
- if(result)
+ if(result) {
+ Curl_safefree(data->state.formp);
return result;
+ }
data->state.mimepost = data->state.formp;
}
break;
#endif
default:
--
2.43.0 |
Thanks for your review, already changed. And I'm new to curl. I will read more docs later. Thanks for your work again! |
Based on your fine recipe on reproducing this problem, I wrote a test case that verified this fix which then led me to do some further fixes as this would cause a memory-leak. My slightly larger take is in #12421 |
I merged #12421 instead, thanks! |
This pull request solves this issue. When Curl_getformdata returns a non-zero value, data->state.formp needs to be released to ensure that easy handle will not crash when reused.