From a58b27740fd78fee88b35104fa71b7019280ccff Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Thu, 13 Dec 2018 10:15:00 +0100
Subject: [PATCH] OS400: handle memory error in list conversion

Curl_slist_append_nodup() returns NULL when it fails to create a new
item for the specified list, and since the coding here reassigned the
new list on top of the old list it would result in a dangling pointer
and lost memory. Also, in case we hit an allocation failure at some
point during the conversion, with allocation succeeding again on the
subsequent call(s) we will return a truncated list around the malloc
failure point. Fix by assigning to a temporary list pointer, which can
be checked (which is the common pattern for slist appending), and free
all the resources on allocation failure.

Closes #3372
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
---
 packages/OS400/ccsidcurl.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c
index b1d3ba845d..ca711d0c01 100644
--- a/packages/OS400/ccsidcurl.c
+++ b/packages/OS400/ccsidcurl.c
@@ -219,13 +219,20 @@ slist_convert(int dccsid, struct curl_slist * from, int sccsid)
   struct curl_slist * to = (struct curl_slist *) NULL;
 
   for(; from; from = from->next) {
+    struct curl_slist *nl;
     char * cp = dynconvert(dccsid, from->data, -1, sccsid);
 
     if(!cp) {
       curl_slist_free_all(to);
       return (struct curl_slist *) NULL;
     }
-    to = Curl_slist_append_nodup(to, cp);
+    nl = Curl_slist_append_nodup(to, cp);
+    if(!nl) {
+      curl_slist_free_all(to);
+      free(cp);
+      return NULL;
+    }
+    to = nl;
   }
   return to;
 }
-- 
GitLab