diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-09-25 07:49:35 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-09-25 07:49:35 +0200 |
commit | 4aaa79e1657e063f061a8f9c2afac0f5af066f9e (patch) | |
tree | 9c196f422982181cdd462b3295361e369b850b44 | |
parent | 16fefeee1e4d6d8534f97f8c133b2e509cca4d9e (diff) | |
download | curl-bagder/http-fuzz-leak.tar.gz |
http: fix memleak in rewind error pathbagder/http-fuzz-leak
If the rewind would fail, a strdup() would not get freed.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
-rw-r--r-- | lib/http.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/lib/http.c b/lib/http.c index 02ba13340..47e47193d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -537,14 +537,6 @@ CURLcode Curl_http_auth_act(struct connectdata *conn) } if(pickhost || pickproxy) { - /* In case this is GSS auth, the newurl field is already allocated so - we must make sure to free it before allocating a new one. As figured - out in bug #2284386 */ - Curl_safefree(data->req.newurl); - data->req.newurl = strdup(data->change.url); /* clone URL */ - if(!data->req.newurl) - return CURLE_OUT_OF_MEMORY; - if((data->set.httpreq != HTTPREQ_GET) && (data->set.httpreq != HTTPREQ_HEAD) && !conn->bits.rewindaftersend) { @@ -552,6 +544,13 @@ CURLcode Curl_http_auth_act(struct connectdata *conn) if(result) return result; } + /* In case this is GSS auth, the newurl field is already allocated so + we must make sure to free it before allocating a new one. As figured + out in bug #2284386 */ + Curl_safefree(data->req.newurl); + data->req.newurl = strdup(data->change.url); /* clone URL */ + if(!data->req.newurl) + return CURLE_OUT_OF_MEMORY; } else if((data->req.httpcode < 300) && (!data->state.authhost.done) && |