Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookie: avoid harmless use after free #4454

Closed
wants to merge 2 commits into from
Closed

cookie: avoid harmless use after free #4454

wants to merge 2 commits into from

Conversation

pauldreik
Copy link
Contributor

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application (Thanks @bagder for checking).

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

@pauldreik
cookie: avoid harmless use after free
b6f2785 
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.
@bagder
Copy link
Member

bagder commented Oct 3, 2019

Picky checksrc:

./cookie.c:1649:19: warning: no space after equals sign (EQUALSNOSPACE)
     data->cookies=NULL;
                   ^

@pauldreik
cookie: fix formatting
c73f789 
when will I ever learn
@bagder
Copy link
Member

bagder commented Oct 3, 2019

Thanks!

@bagder bagder closed this in 13ecc07 Oct 3, 2019
@pauldreik pauldreik mentioned this pull request Oct 3, 2019
Open
@pauldreik pauldreik deleted the paul/cookie-use-after-free branch October 4, 2019 10:36
@lock lock bot locked as resolved and limited conversation to collaborators Jan 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pauldreik @bagder