diff options
author | Daniel Gustafsson <daniel@yesql.se> | 2019-05-01 13:14:15 +0200 |
---|---|---|
committer | Daniel Gustafsson <daniel@yesql.se> | 2019-05-01 13:14:15 +0200 |
commit | b45fd8938e534091b4be2051093c6f38b8771ec8 (patch) | |
tree | dc11565c69790cc131bfccfa2689a0cb24444609 | |
parent | b898b4c06cf8f821fbcd27808f42115b16a151b0 (diff) | |
download | curl-b45fd8938e534091b4be2051093c6f38b8771ec8.tar.gz |
cookie: Guard against possible NULL ptr deref
In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.
Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-rw-r--r-- | lib/cookie.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index d26fd03f7..15bb28166 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -874,11 +874,13 @@ Curl_cookie_add(struct Curl_easy *data, co->name = strdup(ptr); if(!co->name) badcookie = TRUE; - /* For Netscape file format cookies we check prefix on the name */ - if(strncasecompare("__Secure-", co->name, 9)) - co->prefix |= COOKIE_PREFIX__SECURE; - else if(strncasecompare("__Host-", co->name, 7)) - co->prefix |= COOKIE_PREFIX__HOST; + else { + /* For Netscape file format cookies we check prefix on the name */ + if(strncasecompare("__Secure-", co->name, 9)) + co->prefix |= COOKIE_PREFIX__SECURE; + else if(strncasecompare("__Host-", co->name, 7)) + co->prefix |= COOKIE_PREFIX__HOST; + } break; case 6: co->value = strdup(ptr); |