[PATCH] Fix use-after-free bug in __dns_lookup.

[Gabor Juhos]

Gabor Juhos írta:
> Bernhard Reutner-Fischer írta:
>> On Tue, Mar 23, 2010 at 09:18:21AM +0100, Gabor Juhos wrote:
>>> If the type of the first answer does not match with the requested type,
>>> then the dotted name will be freed. If there are no further answers in
>>> the DNS reply, this pointer will be used later on in the same function.
>>> Additionally it is passed to the caller, and may cause strange behaviour.
>>>
>>> For example, the following busybox commands are triggering a segmentation
>>> fault with uClibc 0.9.30.x
>> I cannot reproduce this with attached test program with 0.9.31-rc1 (or
>> current master)?
> 
> Thanks for your response.
> 
> Unfortunately your test program does not trigger the segmentation fault on
> 0.9.30.1. Now that 0.9.31 is out, i will try that.

Well, I did try that. Unfortunately, the bug is present in 0.9.31 as well.

With the attached patch, the bug is reproducible (on my system at least) even
with your test program.

Here is the screenshot:

root at OpenWrt:/# gethostbyname ipv6.google.com
DNS query:
0000: 00 02 01 00 00 01 00 00 00 00 00 00 04 69 70 76
0010: 36 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00
0020: 01

DNS response:
0000: 00 02 81 80 00 01 00 01 00 01 00 00 04 69 70 76
0010: 36 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00
0020: 01 c0 0c 00 05 00 01 00 00 11 49 00 09 04 69 70
0030: 76 36 01 6c c0 11 c0 32 00 06 00 01 00 00 00 3c
0040: 00 26 03 6e 73 34 c0 11 09 64 6e 73 2d 61 64 6d
0050: 69 6e c0 11 00 15 89 61 00 00 03 84 00 00 03 84
0060: 00 00 07 08 00 00 00 3c

Oops! Using bad address in gethostbyname_r at line 2223
Bus error
root at OpenWrt:/#

Regards,
Gabor
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: uclibc-trigger-use-after-free-bug.patch
URL: <http://lists.busybox.net/pipermail/uclibc/attachments/20100403/b59df814/attachment.diff>