| author | Rich Burridge <rich.burridge@oracle.com> |
| Tue, 02 May 2017 17:33:26 -0700 | |
| changeset 7964 | d9801318ed3d |
| parent 7552 | 17fdfad41903 |
| permissions | -rw-r--r-- |
|
7552
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
1 |
From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001 |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
2 |
From: Daniel Stenberg <[email protected]> |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
3 |
Date: Wed, 28 Sep 2016 12:56:02 +0200 |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] krb5: avoid realloc(0) |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
5 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
6 |
If the requested size is zero, bail out with error instead of doing a |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
7 |
realloc() that would cause a double-free: realloc(0) acts as a free() |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
8 |
and then there's a second free in the cleanup path. |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
9 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
10 |
CVE-2016-8619 |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
11 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
12 |
Bug: https://curl.haxx.se/docs/adv_20161102E.html |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
13 |
Reported-by: Cure53 |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
14 |
--- |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
15 |
lib/security.c | 9 ++++++--- |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
16 |
1 file changed, 6 insertions(+), 3 deletions(-) |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
17 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
18 |
--- lib/security.c |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
19 |
+++ lib/security.c |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
20 |
@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to, |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
21 |
static CURLcode read_data(struct connectdata *conn, |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
22 |
curl_socket_t fd, |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
23 |
struct krb5buffer *buf) |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
24 |
{
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
25 |
int len; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
26 |
- void* tmp; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
27 |
+ void *tmp = NULL; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
28 |
CURLcode result; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
29 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
30 |
result = socket_read(fd, &len, sizeof(len)); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
31 |
if(result) |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
32 |
return result; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
33 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
34 |
- len = ntohl(len); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
35 |
- tmp = realloc(buf->data, len); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
36 |
+ if(len) {
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
37 |
+ /* only realloc if there was a length */ |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
38 |
+ len = ntohl(len); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
39 |
+ tmp = realloc(buf->data, len); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
40 |
+ } |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
41 |
if(tmp == NULL) |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
42 |
return CURLE_OUT_OF_MEMORY; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
43 |
|
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
44 |
buf->data = tmp; |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
45 |
result = socket_read(fd, buf->data, len); |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
46 |
-- |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
47 |
2.9.3 |
|
17fdfad41903
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
48 |