diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2020-08-16 11:34:35 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-08-17 14:33:09 +0200 |
| commit | 3c9e021f86872baae412a427e807fbfa2f3e8a22 (patch) | |
| tree | 13f8dcd7655ead28abee32bbca8b8783335f4d2b /lib/connect.c | |
| parent | 687908c6e6332b2bf4ba74b271e795f9c65a5a61 (diff) | |
| download | curl-3c9e021f86872baae412a427e807fbfa2f3e8a22.tar.gz | |
Curl_easy: remember last connection by id, not by pointer
CVE-2020-8231
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
Reported-by: Marc Aldorasi
Closes #5824
Diffstat (limited to 'lib/connect.c')
| -rw-r--r-- | lib/connect.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/lib/connect.c b/lib/connect.c index 313c23315..b000b1b2c 100644 --- a/lib/connect.c +++ b/lib/connect.c @@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ } struct connfind { - struct connectdata *tofind; - bool found; + long id_tofind; + struct connectdata *found; }; static int conn_is_conn(struct connectdata *conn, void *param) { struct connfind *f = (struct connfind *)param; - if(conn == f->tofind) { - f->found = TRUE; + if(conn->connection_id == f->id_tofind) { + f->found = conn; return 1; } return 0; @@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, * - that is associated with a multi handle, and whose connection * was detached with CURLOPT_CONNECT_ONLY */ - if(data->state.lastconnect && (data->multi_easy || data->multi)) { - struct connectdata *c = data->state.lastconnect; + if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { + struct connectdata *c; struct connfind find; - find.tofind = data->state.lastconnect; - find.found = FALSE; + find.id_tofind = data->state.lastconnect_id; + find.found = NULL; Curl_conncache_foreach(data, data->multi_easy? &data->multi_easy->conn_cache: &data->multi->conn_cache, &find, conn_is_conn); if(!find.found) { - data->state.lastconnect = NULL; + data->state.lastconnect_id = -1; return CURL_SOCKET_BAD; } + c = find.found; if(connp) { /* only store this if the caller cares for it */ *connp = c; |