security:read_data fix bad realloc()

... that could end up a double-free CVE-2019-5481 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
author: Daniel Stenberg <daniel@haxx.se> 2019-09-03 22:59:32 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2019-09-09 08:14:34 +0200
commit: 9069838b30fb3b48af0123e39f664cea683254a5 (patch)
tree: 536cf19a8b79e3a17b83fc30785d72d85849dd58 /lib/security.c
parent: facb0e4662415b5f28163e853dc6742ac5fafb3d (diff)
download: curl-9069838b30fb3b48af0123e39f664cea683254a5.tar.gz
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/security.c b/lib/security.c
index 550ea2da8..c5e4e135d 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
                           struct krb5buffer *buf)
 {
   int len;
-  void *tmp = NULL;
   CURLcode result;
 
   result = socket_read(fd, &len, sizeof(len));
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
   if(len) {
     /* only realloc if there was a length */
     len = ntohl(len);
-    tmp = Curl_saferealloc(buf->data, len);
+    buf->data = Curl_saferealloc(buf->data, len);
   }
-  if(tmp == NULL)
+  if(!len || !buf->data)
     return CURLE_OUT_OF_MEMORY;
 
-  buf->data = tmp;
   result = socket_read(fd, buf->data, len);
   if(result)
     return result;
author	Daniel Stenberg <daniel@haxx.se>	2019-09-03 22:59:32 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2019-09-09 08:14:34 +0200
commit	9069838b30fb3b48af0123e39f664cea683254a5 (patch)
tree	536cf19a8b79e3a17b83fc30785d72d85849dd58 /lib/security.c
parent	facb0e4662415b5f28163e853dc6742ac5fafb3d (diff)
download	curl-9069838b30fb3b48af0123e39f664cea683254a5.tar.gz