WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 3d6460ed authored Sep 28, 2016 by Daniel Stenberg

krb5: avoid realloc(0)

If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.

CVE-2016-8619

Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53

parent 8732ec40

lib/security.c

+6 −3

Original line number	Diff line number	Diff line
		@@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn,
		struct krb5buffer *buf)
		{
		int len;
		void* tmp;
		void *tmp = NULL;
		CURLcode result;

		result = socket_read(fd, &len, sizeof(len));
		if(result)
		return result;

		if(len) {
		/* only realloc if there was a length */
		len = ntohl(len);
		tmp = realloc(buf->data, len);
		}
		if(tmp == NULL)
		return CURLE_OUT_OF_MEMORY;

Admin message