git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

transfer: clear the URL pointer in OOM to avoid UAF

Browse Source 
Since the pointer can be extracted with CURLINFO_EFFECTIVE_URL later it
must not linger pointing to freed memory.

Found by Codex Security

Closes #21123
This commit is contained in:
Daniel Stenberg 2026-03-27 14:49:24 +01:00
parent 28fbf4a87d
commit 86b39c2226
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/transfer.c
View File

@ -469,6 +469,8 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
uc = curl_url_get(data->set.uh,
CURLUPART_URL, &data->set.str[STRING_SET_URL], 0);
if(uc) {
/* clear the pointer to not point to freed memory anymore */
Curl_bufref_set(&data->state.url, NULL, 0, NULL);
failf(data, "No URL set");
return CURLE_URL_MALFORMAT;
}