[git commit master] Fix use-after-free bug in __dns_lookup
Bernhard Reutner-Fischer
rep.dot.nop at gmail.com
Tue Apr 6 08:26:41 UTC 2010
commit: http://git.uclibc.org/uClibc/commit/?id=fd8991cc59305a071e9f1765b3e1e09de9339bc3
branch: http://git.uclibc.org/uClibc/commit/?id=refs/heads/master
If the type of the first answer does not match with the requested type,
then the dotted name was freed. If there are no further answers in
the DNS reply, this pointer was used later on in the same function.
Additionally it is passed to the caller, and caused strange
behaviour.
Signed-off-by: Gabor Juhos <juhosg at openwrt.org>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop at gmail.com>
---
libc/inet/resolv.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 056539f..9459199 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
memcpy(a, &ma, sizeof(ma));
if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
break;
- if (a->atype != type) {
- free(a->dotted);
+ if (a->atype != type)
continue;
- }
a->add_count = h.ancount - j - 1;
if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
break;
--
1.6.3.3
More information about the uClibc-cvs
mailing list