File curl-CVE-2016-8619.patch of Package curl.openSUSE_Leap_42.3_Update
From 6c1811521c5f6453e0a1a492522c2e421da356bf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 28 Sep 2016 12:56:02 +0200
Subject: [PATCH] krb5: avoid realloc(0)
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
---
lib/security.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
Index: curl-7.37.0/lib/security.c
===================================================================
--- curl-7.37.0.orig/lib/security.c 2016-10-20 15:17:01.738332131 +0200
+++ curl-7.37.0/lib/security.c 2016-10-20 15:17:20.374310503 +0200
@@ -199,15 +199,18 @@ static CURLcode read_data(struct connect
struct krb5buffer *buf)
{
int len;
- void* tmp;
+ void *tmp = NULL;
CURLcode ret;
ret = socket_read(fd, &len, sizeof(len));
if(ret != CURLE_OK)
return ret;
+ if(len) {
+ /* only realloc if there was a length */
len = ntohl(len);
tmp = realloc(buf->data, len);
+ }
if(tmp == NULL)
return CURLE_OUT_OF_MEMORY;