In ‘lib/security.c’, there is a double-free of the reference ‘buf->data’ on the teardown path if ‘Curl_saferealloc()’ fails.
Also, since we read ‘len’ from the ‘fd’, the sender might be able to remotely trigger a realloc() failure, and then the double-free, by sending the value 0x7fffffff.
Introduced by
0649433da realloc: use Curl_saferealloc to avoid common mistakes
Actual double-free was not reproduced.
The realloc failure with particular ‘len’ value can be reproduced on my 32bits linux machine with following code:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
void *ptr = malloc(10);
if (!ptr)
return -1;
int len = 0x7fffffff;
void *ptr2 = realloc(ptr, len);
if (!ptr2) {
printf("Triggered realloc failure\n");
return 0;
}
return -1;
}
Also checked other occurences of ‘Curl_saferealloc()’ calls which all seem fine otherwise.
Double-free after a ‘realloc()’ failure, which could be triggered remotely, depending on the use context of the ‘read_data()’ function.