romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 23:51:42 +03:00
Code Issues Projects Releases Packages Wiki Activity

httpsrr: free old pointers when storing new

Browse source 
In case we get "funny" input and the same field is provided several
times, free the old pointer before stored a new memdup.

Reported in Joshua's sarif data

Closes #18631
This commit is contained in:
Daniel Stenberg 2025-09-20 12:12:02 +02:00
parent 979366a625
commit 50968d0378
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/httpsrr.c
View file

@ -98,6 +98,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
case HTTPS_RR_CODE_IPV4: /* addr4 list */
if(!vlen || (vlen & 3)) /* the size must be 4-byte aligned */
return CURLE_BAD_FUNCTION_ARGUMENT;
free(hi->ipv4hints);
hi->ipv4hints = Curl_memdup(val, vlen);
if(!hi->ipv4hints)
return CURLE_OUT_OF_MEMORY;
@ -107,6 +108,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
case HTTPS_RR_CODE_ECH:
if(!vlen)
return CURLE_BAD_FUNCTION_ARGUMENT;
free(hi->echconfiglist);
hi->echconfiglist = Curl_memdup(val, vlen);
if(!hi->echconfiglist)
return CURLE_OUT_OF_MEMORY;
@ -116,6 +118,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
case HTTPS_RR_CODE_IPV6: /* addr6 list */
if(!vlen || (vlen & 15)) /* the size must be 16-byte aligned */
return CURLE_BAD_FUNCTION_ARGUMENT;
free(hi->ipv6hints);
hi->ipv6hints = Curl_memdup(val, vlen);
if(!hi->ipv6hints)
return CURLE_OUT_OF_MEMORY;
@ -186,6 +189,7 @@ CURLcode Curl_httpsrr_from_ares(struct Curl_easy *data,
is in ServiceMode */
target = ares_dns_rr_get_str(rr, ARES_RR_HTTPS_TARGET);
if(target && target[0]) {
free(hinfo->target);
hinfo->target = strdup(target);
if(!hinfo->target) {
result = CURLE_OUT_OF_MEMORY;