summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Gustafsson <daniel@yesql.se>2019-05-01 13:14:15 +0200
committerDaniel Gustafsson <daniel@yesql.se>2019-05-01 13:14:15 +0200
commitb45fd8938e534091b4be2051093c6f38b8771ec8 (patch)
treedc11565c69790cc131bfccfa2689a0cb24444609
parentb898b4c06cf8f821fbcd27808f42115b16a151b0 (diff)
downloadcurl-b45fd8938e534091b4be2051093c6f38b8771ec8.tar.gz
cookie: Guard against possible NULL ptr deref
In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to avoid a possible NULL pointer dereference. Closes #3820 #3821 Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-rw-r--r--lib/cookie.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index d26fd03f7..15bb28166 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -874,11 +874,13 @@ Curl_cookie_add(struct Curl_easy *data,
co->name = strdup(ptr);
if(!co->name)
badcookie = TRUE;
- /* For Netscape file format cookies we check prefix on the name */
- if(strncasecompare("__Secure-", co->name, 9))
- co->prefix |= COOKIE_PREFIX__SECURE;
- else if(strncasecompare("__Host-", co->name, 7))
- co->prefix |= COOKIE_PREFIX__HOST;
+ else {
+ /* For Netscape file format cookies we check prefix on the name */
+ if(strncasecompare("__Secure-", co->name, 9))
+ co->prefix |= COOKIE_PREFIX__SECURE;
+ else if(strncasecompare("__Host-", co->name, 7))
+ co->prefix |= COOKIE_PREFIX__HOST;
+ }
break;
case 6:
co->value = strdup(ptr);