From b45fd8938e534091b4be2051093c6f38b8771ec8 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Wed, 1 May 2019 13:14:15 +0200 Subject: [PATCH] cookie: Guard against possible NULL ptr deref In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to avoid a possible NULL pointer dereference. Closes #3820 #3821 Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg --- lib/cookie.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/cookie.c b/lib/cookie.c index d26fd03f7..15bb28166 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -874,11 +874,13 @@ Curl_cookie_add(struct Curl_easy *data, co->name = strdup(ptr); if(!co->name) badcookie = TRUE; - /* For Netscape file format cookies we check prefix on the name */ - if(strncasecompare("__Secure-", co->name, 9)) - co->prefix |= COOKIE_PREFIX__SECURE; - else if(strncasecompare("__Host-", co->name, 7)) - co->prefix |= COOKIE_PREFIX__HOST; + else { + /* For Netscape file format cookies we check prefix on the name */ + if(strncasecompare("__Secure-", co->name, 9)) + co->prefix |= COOKIE_PREFIX__SECURE; + else if(strncasecompare("__Host-", co->name, 7)) + co->prefix |= COOKIE_PREFIX__HOST; + } break; case 6: co->value = strdup(ptr); -- 2.40.0