diff options
| author | Gabor Juhos <juhosg@openwrt.org> | 2010-04-06 09:55:19 +0200 |
|---|---|---|
| committer | Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> | 2010-04-06 10:52:23 +0200 |
| commit | eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 (patch) | |
| tree | 94e7b412fea2d5f0b3db8c0b9448456ecd2915bd | |
| parent | 8477df4d627200cdd251190b9ebfda75cb57f29c (diff) | |
| download | uClibc-alpine-eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7.tar.bz2 uClibc-alpine-eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7.tar.xz | |
Fix use-after-free bug in __dns_lookup
If the type of the first answer does not match with the requested type,
then the dotted name was freed. If there are no further answers in
the DNS reply, this pointer was used later on in the same function.
Additionally it is passed to the caller, and caused strange
behaviour.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
| -rw-r--r-- | libc/inet/resolv.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c index 056539f6e..9459199da 100644 --- a/libc/inet/resolv.c +++ b/libc/inet/resolv.c @@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name, memcpy(a, &ma, sizeof(ma)); if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) break; - if (a->atype != type) { - free(a->dotted); + if (a->atype != type) continue; - } a->add_count = h.ancount - j - 1; if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) break; |