From: Viktor Szakats Date: Mon, 20 Oct 2025 20:23:39 +0000 (+0200) Subject: socks_gssapi: also reset buffer length after free X-Git-Tag: rc-8_17_0-3~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f03e3fcbd2857be1821fbac4875592c2a81feff;p=thirdparty%2Fcurl.git socks_gssapi: also reset buffer length after free To mimic this behavior of the previously used `gss_release_buffer()`. Some or all of these zero assignments may be redundant. Follow-up to e7818999dbeff5acb00c032860d2259a1c5f9c5b #19018 Closes #19167 --- diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 9b0b31792b..34380ae9a0 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -167,6 +167,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, } Curl_safefree(service.value); + service.length = 0; if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_import_name()")) { @@ -191,8 +192,10 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, TRUE, &gss_ret_flags); - if(gss_token != GSS_C_NO_BUFFER) + if(gss_token != GSS_C_NO_BUFFER) { Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; + } if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_init_sec_context") || /* the size needs to fit in a 16 bit field */ @@ -293,6 +296,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Failed to receive GSS-API authentication token."); gss_release_name(&gss_status, &server); Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -403,12 +407,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) { Curl_safefree(gss_send_token.value); + gss_send_token.length = 0; gss_release_buffer(&gss_status, &gss_w_token); Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); failf(data, "Failed to wrap GSS-API encryption value into token."); return CURLE_COULDNT_CONNECT; } Curl_safefree(gss_send_token.value); + gss_send_token.length = 0; us_length = htons((unsigned short)gss_w_token.length); memcpy(socksreq + 2, &us_length, sizeof(short)); @@ -482,6 +488,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(result || (actualread != us_length)) { failf(data, "Failed to receive GSS-API encryption type."); Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -493,12 +500,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) { Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; gss_release_buffer(&gss_status, &gss_w_token); Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); failf(data, "Failed to unwrap GSS-API encryption value into token."); return CURLE_COULDNT_CONNECT; } Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; if(gss_w_token.length != 1) { failf(data, "Invalid GSS-API encryption response length (%zu).", @@ -516,12 +525,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Invalid GSS-API encryption response length (%zu).", gss_recv_token.length); Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } memcpy(socksreq, gss_recv_token.value, gss_recv_token.length); Curl_safefree(gss_recv_token.value); + gss_recv_token.length = 0; } (void)curlx_nonblock(sock, TRUE);