From: Paul Dreik <github@pauldreik.se>
Date: Thu, 3 Oct 2019 08:57:09 +0000 (+0200)
Subject: cookie: avoid harmless use after free
X-Git-Tag: curl-7_67_0~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13ecc0725f723ce7068c114610f6d1418945705a;p=thirdparty%2Fcurl.git

cookie: avoid harmless use after free

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

Closes #4454
---

diff --git a/lib/cookie.c b/lib/cookie.c
index f6b52df2f4..c6c4a7bdd9 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1646,6 +1646,7 @@ void Curl_flush_cookies(struct Curl_easy *data, int cleanup)
 
   if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
     Curl_cookie_cleanup(data->cookies);
+    data->cookies = NULL;
   }
   Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
 }