9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
86.0%
In ‘lib/security.c’, there is a double-free of the reference ‘buf->data’ on the teardown path if ‘Curl_saferealloc()’ fails.
Also, since we read ‘len’ from the ‘fd’, the sender might be able to remotely trigger a realloc() failure, and then the double-free, by sending the value 0x7fffffff.
Introduced by
0649433da realloc: use Curl_saferealloc to avoid common mistakes
Actual double-free was not reproduced.
The realloc failure with particular ‘len’ value can be reproduced on my 32bits linux machine with following code:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
void *ptr = malloc(10);
if (!ptr)
return -1;
int len = 0x7fffffff;
void *ptr2 = realloc(ptr, len);
if (!ptr2) {
printf("Triggered realloc failure\n");
return 0;
}
return -1;
}
Also checked other occurences of ‘Curl_saferealloc()’ calls which all seem fine otherwise.
Double-free after a ‘realloc()’ failure, which could be triggered remotely, depending on the use context of the ‘read_data()’ function.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
86.0%