From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 3 Sep 2019 22:59:32 +0200 Subject: [PATCH] security:read_data fix bad realloc() ... that could end up a double-free CVE-2019-5481 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5 Signed-off-by: Kamil Dudka --- lib/security.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/security.c b/lib/security.c index 550ea2d..c5e4e13 100644 --- a/lib/security.c +++ b/lib/security.c @@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, struct krb5buffer *buf) { int len; - void *tmp = NULL; CURLcode result; result = socket_read(fd, &len, sizeof(len)); @@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, if(len) { /* only realloc if there was a length */ len = ntohl(len); - tmp = Curl_saferealloc(buf->data, len); + buf->data = Curl_saferealloc(buf->data, len); } - if(tmp == NULL) + if(!len || !buf->data) return CURLE_OUT_OF_MEMORY; - buf->data = tmp; result = socket_read(fd, buf->data, len); if(result) return result; -- 2.20.1