From: Daniel Gustafsson <daniel@yesql.se>
Date: Wed, 1 May 2019 11:14:15 +0000 (+0200)
Subject: cookie: Guard against possible NULL ptr deref
X-Git-Tag: curl-7_65_0~102
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b45fd8938e534091b4be2051093c6f38b8771ec8;p=thirdparty%2Fcurl.git

cookie: Guard against possible NULL ptr deref

In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
---

diff --git a/lib/cookie.c b/lib/cookie.c
index d26fd03f71..15bb28166e 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -874,11 +874,13 @@ Curl_cookie_add(struct Curl_easy *data,
         co->name = strdup(ptr);
         if(!co->name)
           badcookie = TRUE;
-        /* For Netscape file format cookies we check prefix on the name */
-        if(strncasecompare("__Secure-", co->name, 9))
-          co->prefix |= COOKIE_PREFIX__SECURE;
-        else if(strncasecompare("__Host-", co->name, 7))
-          co->prefix |= COOKIE_PREFIX__HOST;
+        else {
+          /* For Netscape file format cookies we check prefix on the name */
+          if(strncasecompare("__Secure-", co->name, 9))
+            co->prefix |= COOKIE_PREFIX__SECURE;
+          else if(strncasecompare("__Host-", co->name, 7))
+            co->prefix |= COOKIE_PREFIX__HOST;
+        }
         break;
       case 6:
         co->value = strdup(ptr);