diff options
| author | Paul Dreik <github@pauldreik.se> | 2019-10-03 10:57:09 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-10-03 15:43:50 +0200 |
| commit | 13ecc0725f723ce7068c114610f6d1418945705a (patch) | |
| tree | e3c3c0670873617b4fea2f8f180c174c6a3bf5eb | |
| parent | 0b386392d60360bd642e0f115249debea3367913 (diff) | |
| download | curl-13ecc0725f723ce7068c114610f6d1418945705a.tar.gz | |
cookie: avoid harmless use after free
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.
The following program reproduces it:
curl_global_init(CURL_GLOBAL_DEFAULT);
CURL* handle=curl_easy_init();
CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
Curl_flush_cookies(handle, true);
Curl_cookie_cleanup(info);
curl_easy_cleanup(handle);
curl_global_cleanup();
This was found through fuzzing.
Closes #4454
| -rw-r--r-- | lib/cookie.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index f6b52df2f..c6c4a7bdd 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -1646,6 +1646,7 @@ void Curl_flush_cookies(struct Curl_easy *data, int cleanup) if(cleanup && (!data->share || (data->cookies != data->share->cookies))) { Curl_cookie_cleanup(data->cookies); + data->cookies = NULL; } Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } |