From: Daniel Stenberg Date: Thu, 13 Jan 2022 13:27:06 +0000 (+0100) Subject: mqtt: free any leftover when done X-Git-Tag: curl-7_82_0~212 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84853d94f2b8ac1cfd2ed3e3849e2af0f464d22c;p=thirdparty%2Fcurl.git mqtt: free any leftover when done Oss-fuzz found an issue when the "sendleftovers" pointer could leak memory. Fix this by always freeing it (if still assigned) in the done function. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43515 Closes #8274 --- diff --git a/lib/mqtt.c b/lib/mqtt.c index fcd40b41e6..c056ae77b2 100644 --- a/lib/mqtt.c +++ b/lib/mqtt.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2020 - 2021, Daniel Stenberg, , et al. + * Copyright (C) 2020 - 2022, Daniel Stenberg, , et al. * Copyright (C) 2019, Björn Stenberg, * * This software is licensed as described in the file COPYING, which @@ -60,6 +60,8 @@ */ static CURLcode mqtt_do(struct Curl_easy *data, bool *done); +static CURLcode mqtt_done(struct Curl_easy *data, + CURLcode status, bool premature); static CURLcode mqtt_doing(struct Curl_easy *data, bool *done); static int mqtt_getsock(struct Curl_easy *data, struct connectdata *conn, curl_socket_t *sock); @@ -74,7 +76,7 @@ const struct Curl_handler Curl_handler_mqtt = { "MQTT", /* scheme */ mqtt_setup_conn, /* setup_connection */ mqtt_do, /* do_it */ - ZERO_NULL, /* done */ + mqtt_done, /* done */ ZERO_NULL, /* do_more */ ZERO_NULL, /* connect_it */ ZERO_NULL, /* connecting */ @@ -692,6 +694,16 @@ static CURLcode mqtt_do(struct Curl_easy *data, bool *done) return CURLE_OK; } +static CURLcode mqtt_done(struct Curl_easy *data, + CURLcode status, bool premature) +{ + struct MQTT *mq = data->req.p.mqtt; + (void)status; + (void)premature; + Curl_safefree(mq->sendleftovers); + return CURLE_OK; +} + static CURLcode mqtt_doing(struct Curl_easy *data, bool *done) { CURLcode result = CURLE_OK;