Commit 3d6460ed authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

krb5: avoid realloc(0) 

If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.

CVE-2016-8619

Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
parent 8732ec40

lib/security.c

+6 −3
Original line number Diff line number Diff line
@@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn, 
                          struct krb5buffer *buf)

{

  int len;

  void* tmp;

  void *tmp = NULL;

  CURLcode result;



  result = socket_read(fd, &len, sizeof(len));

  if(result)

    return result;



  if(len) {

    /* only realloc if there was a length */

    len = ntohl(len);

    tmp = realloc(buf->data, len);

  }

  if(tmp == NULL)

    return CURLE_OUT_OF_MEMORY;