1From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 19 Dec 2022 08:38:37 +0100 4Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() 5 6It is managed by the generic layer. 7 8Reported-by: Trail of Bits 9 10Closes #10112 11 12CVE: CVE-2022-43552 13Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] 14Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 15 16--- 17 lib/smb.c | 14 ++------------ 18 lib/telnet.c | 3 --- 19 2 files changed, 2 insertions(+), 15 deletions(-) 20 21diff --git a/lib/smb.c b/lib/smb.c 22index 2cfe041dff072..48d5a2fe006d5 100644 23--- a/lib/smb.c 24+++ b/lib/smb.c 25@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); 26 static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); 27 static CURLcode smb_do(struct Curl_easy *data, bool *done); 28 static CURLcode smb_request_state(struct Curl_easy *data, bool *done); 29-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, 30- bool premature); 31 static CURLcode smb_disconnect(struct Curl_easy *data, 32 struct connectdata *conn, bool dead); 33 static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, 34@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { 35 "SMB", /* scheme */ 36 smb_setup_connection, /* setup_connection */ 37 smb_do, /* do_it */ 38- smb_done, /* done */ 39+ ZERO_NULL, /* done */ 40 ZERO_NULL, /* do_more */ 41 smb_connect, /* connect_it */ 42 smb_connection_state, /* connecting */ 43@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { 44 "SMBS", /* scheme */ 45 smb_setup_connection, /* setup_connection */ 46 smb_do, /* do_it */ 47- smb_done, /* done */ 48+ ZERO_NULL, /* done */ 49 ZERO_NULL, /* do_more */ 50 smb_connect, /* connect_it */ 51 smb_connection_state, /* connecting */ 52@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) 53 return CURLE_OK; 54 } 55 56-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, 57- bool premature) 58-{ 59- (void) premature; 60- Curl_safefree(data->req.p.smb); 61- return status; 62-} 63- 64 static CURLcode smb_disconnect(struct Curl_easy *data, 65 struct connectdata *conn, bool dead) 66 { 67diff --git a/lib/telnet.c b/lib/telnet.c 68index 24d3f1efb14c8..22bc81e755222 100644 69--- a/lib/telnet.c 70+++ b/lib/telnet.c 71@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, 72 73 curl_slist_free_all(tn->telnet_vars); 74 tn->telnet_vars = NULL; 75- 76- Curl_safefree(data->req.p.telnet); 77- 78 return CURLE_OK; 79 } 80 81