Skip to content

cookie: avoid harmless use after free#4454

Closed
pauldreik wants to merge 2 commits intocurl:masterfrom
pauldreik:paul/cookie-use-after-free
Closed

cookie: avoid harmless use after free#4454
pauldreik wants to merge 2 commits intocurl:masterfrom
pauldreik:paul/cookie-use-after-free

Conversation

@pauldreik
Copy link
Contributor

@pauldreik pauldreik commented Oct 3, 2019

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application (Thanks @bagder for checking).

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

@pauldreik
cookie: avoid harmless use after free
b6f2785 
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.
@bagder
Copy link
Member

bagder commented Oct 3, 2019

Picky checksrc:

./cookie.c:1649:19: warning: no space after equals sign (EQUALSNOSPACE)
     data->cookies=NULL;
                   ^

@pauldreik
cookie: fix formatting
c73f789 
when will I ever learn
@bagder
Copy link
Member

bagder commented Oct 3, 2019

Thanks!

@bagder bagder closed this in 13ecc07 Oct 3, 2019
@pauldreik pauldreik mentioned this pull request Oct 3, 2019
Open
@pauldreik pauldreik deleted the paul/cookie-use-after-free branch October 4, 2019 10:36
@lock lock bot locked as resolved and limited conversation to collaborators Jan 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pauldreik @bagder