luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cookie: avoid harmless use after free

Browse Source 
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

Closes #4454
This commit is contained in:
Paul Dreik 2019-10-03 10:57:09 +02:00 committed by Daniel Stenberg
parent 0b386392d6
commit 13ecc0725f
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/cookie.c
View File

@ -1646,6 +1646,7 @@ void Curl_flush_cookies(struct Curl_easy *data, int cleanup)
if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
Curl_cookie_cleanup(data->cookies);
data->cookies = NULL;
}
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
}