From 84eb9fee765d8614b5f4d56e1db3ea02322301fe Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 12 Apr 2008 11:50:51 +0000 Subject: [PATCH] - Andre Guibert de Bruet found and fixed a case where malloc() was called but was not checked for a NULL return, in the Negotiate code. --- CHANGES | 4 ++++ RELEASE-NOTES | 3 ++- lib/http_negotiate.c | 10 ++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index cc6ae31..6d28e45 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,10 @@ Changelog +Daniel Stenberg (12 Apr 2008) +- Andre Guibert de Bruet found and fixed a case where malloc() was called but + was not checked for a NULL return, in the Negotiate code. + Daniel Fandrich (9 Apr 2008) - Added test cases 1024 & 1025 to test a scenario similar to the one reported by Ben Combee where libcurl would send the wrong cookie to a redirected diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 85dc6e3..fbb1f90 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -19,6 +19,7 @@ This release includes the following bugfixes: the confusion that could lead to a hung transfer o curl_easy_reset() resets the max redirect limit properly o configure now correctly recognizes Heimdal and MIT gssapi libraries + o malloc() failure check in Negotiate This release includes the following known bugs: @@ -36,6 +37,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Michal Marek, Daniel Fandrich, Scott Barrett, Alexey Simak, Daniel Black, - Rafa Muyo + Rafa Muyo, Andre Guibert de Bruet Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f4aab7d..ac8ad58 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -116,6 +116,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } +/* returning zero (0) means success, everything else is treated as "failure" + with no care exactly what the failure was */ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { @@ -185,9 +187,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, unsigned char * mechToken = NULL; size_t mechTokenLength = 0; - spnegoToken = malloc(input_token.length); if(input_token.value == NULL) - return ENOMEM; + return CURLE_OUT_OF_MEMORY; + + spnegoToken = malloc(input_token.length); + if(spnegoToken == NULL) + return CURLE_OUT_OF_MEMORY; + spnegoTokenLength = input_token.length; object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); -- 2.7.4