summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-09-25 07:49:35 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-09-25 07:49:35 +0200
commit4aaa79e1657e063f061a8f9c2afac0f5af066f9e (patch)
tree9c196f422982181cdd462b3295361e369b850b44
parent16fefeee1e4d6d8534f97f8c133b2e509cca4d9e (diff)
downloadcurl-bagder/http-fuzz-leak.tar.gz
http: fix memleak in rewind error pathbagder/http-fuzz-leak
If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
-rw-r--r--lib/http.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/lib/http.c b/lib/http.c
index 02ba13340..47e47193d 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -537,14 +537,6 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
}
if(pickhost || pickproxy) {
- /* In case this is GSS auth, the newurl field is already allocated so
- we must make sure to free it before allocating a new one. As figured
- out in bug #2284386 */
- Curl_safefree(data->req.newurl);
- data->req.newurl = strdup(data->change.url); /* clone URL */
- if(!data->req.newurl)
- return CURLE_OUT_OF_MEMORY;
-
if((data->set.httpreq != HTTPREQ_GET) &&
(data->set.httpreq != HTTPREQ_HEAD) &&
!conn->bits.rewindaftersend) {
@@ -552,6 +544,13 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
if(result)
return result;
}
+ /* In case this is GSS auth, the newurl field is already allocated so
+ we must make sure to free it before allocating a new one. As figured
+ out in bug #2284386 */
+ Curl_safefree(data->req.newurl);
+ data->req.newurl = strdup(data->change.url); /* clone URL */
+ if(!data->req.newurl)
+ return CURLE_OUT_OF_MEMORY;
}
else if((data->req.httpcode < 300) &&
(!data->state.authhost.done) &&