File curl-CVE-2016-8619.patch of Package curl.10931

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2016-8619.patch of Package curl.10931

From 6c1811521c5f6453e0a1a492522c2e421da356bf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 28 Sep 2016 12:56:02 +0200
Subject: [PATCH] krb5: avoid realloc(0)

If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
---
 lib/security.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

Index: curl-7.37.0/lib/security.c
===================================================================
--- curl-7.37.0.orig/lib/security.c	2016-10-20 15:17:01.738332131 +0200
+++ curl-7.37.0/lib/security.c	2016-10-20 15:17:20.374310503 +0200
@@ -199,15 +199,18 @@ static CURLcode read_data(struct connect
                           struct krb5buffer *buf)
 {
   int len;
-  void* tmp;
+  void *tmp = NULL;
   CURLcode ret;
 
   ret = socket_read(fd, &len, sizeof(len));
   if(ret != CURLE_OK)
     return ret;
 
+  if(len) {
+    /* only realloc if there was a length */
   len = ntohl(len);
   tmp = realloc(buf->data, len);
+  }
   if(tmp == NULL)
     return CURLE_OUT_OF_MEMORY;

Places

File curl-CVE-2016-8619.patch of Package curl.10931

Places