| 123456789101112131415161718192021222324252627282930313233343536 |
- From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001
- From: Gabor Juhos <juhosg@openwrt.org>
- Date: Tue, 6 Apr 2010 09:55:19 +0200
- Subject: [PATCH] Fix use-after-free bug in __dns_lookup
- If the type of the first answer does not match with the requested type,
- then the dotted name was freed. If there are no further answers in
- the DNS reply, this pointer was used later on in the same function.
- Additionally it is passed to the caller, and caused strange
- behaviour.
- Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
- Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
- ---
- libc/inet/resolv.c | 4 +---
- 1 files changed, 1 insertions(+), 3 deletions(-)
- diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
- index 056539f..9459199 100644
- --- a/libc/inet/resolv.c
- +++ b/libc/inet/resolv.c
- @@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
- memcpy(a, &ma, sizeof(ma));
- if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
- break;
- - if (a->atype != type) {
- - free(a->dotted);
- + if (a->atype != type)
- continue;
- - }
- a->add_count = h.ancount - j - 1;
- if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
- break;
- --
- 1.7.0
|
