curl: krb5: double-free in read_data() after realloc() fail

Summary:

In ‘lib/security.c’, there is a double-free of the reference ‘buf->data’ on the teardown path if ‘Curl_saferealloc()’ fails.

Also, since we read ‘len’ from the ‘fd’, the sender might be able to remotely trigger a realloc() failure, and then the double-free, by sending the value 0x7fffffff.

Introduced by
0649433da realloc: use Curl_saferealloc to avoid common mistakes

Steps To Reproduce:

Actual double-free was not reproduced.
The realloc failure with particular ‘len’ value can be reproduced on my 32bits linux machine with following code:

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
    void *ptr = malloc(10);
    if (!ptr)
        return -1;
    int len = 0x7fffffff;
    void *ptr2 = realloc(ptr, len);
    if (!ptr2) {
        printf("Triggered realloc failure\n");
        return 0;
    }
    return -1;
}

Comment:

Also checked other occurences of ‘Curl_saferealloc()’ calls which all seem fine otherwise.

Impact

Double-free after a ‘realloc()’ failure, which could be triggered remotely, depending on the use context of the ‘read_data()’ function.