small memory leak in libc/inet/resolv.c

Bernhard Reutner-Fischer rep.dot.nop at gmail.com
Fri Oct 21 10:53:02 UTC 2011 

On Fri, Oct 14, 2011 at 09:12:35AM +0200, Joakim Tjernlund wrote:
>
>>
>> We've discovered a small memory leak in __dns_lookup() when the A record
>> in the DNS answer is preceded by one or more CNAME records.
>>
>> This can be reproduced by performing a gethostbyname() lookup on
>> "www.google.com" or "www.yahoo.com".  After each CNAME record,
>> __dns_lookup() leaks by 256 bytes.
>>
>> =====================================
>> The problem code is in this segment:
>>
>>         first_answer = 1;
>>         for (j = 0; j < h.ancount; j++) {
>>             i = __decode_answer(packet, pos, packet_len, &ma);
>>
>>             <...snipped code for brevity...>
>>
>>             if (first_answer) {
>>                 ma.buf = a->buf;
>>                 ma.buflen = a->buflen;
>>                 ma.add_count = a->add_count;
>>                 memcpy(a, &ma, sizeof(ma));
>>                 if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
>>                     break;
>>                 if (a->atype != type)
>>                     continue;
>>                 a->add_count = h.ancount - j - 1;
>>                 if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
>>                     break;
>>                 a->add_count = 0;
>>                 first_answer = 0;
>>             } else {
>> =====================================
>>
>> On the first time through the loop (j == 0) with the CNAME record,
>> ma.dotted is alloc'ed using a strdup() in decode_answer(), and memcpy()
>> copies it to a->dotted. The loop is continued at "if (a->atype != type)".
>>
>> On the second time through the loop (j == 1), ma.dotted is again
>> alloc'ed in decode_answer().  Now we have two allocated segments, one
>> pointed-to by ma.dotted, and the other pointed-to by a->dotted.
>> But memcpy() will over-write the pointer stored at a->dotted.
>>
>> My proposed solution is to check a->dotted before the memcpy() and free()
>> it if it is non-NULL. (See the attached patch.)
>>
>> I've tested my solution with a number of different public DNS servers
>> resolving a variety of names, but we're using an older version of uClibc.
>>
>> This leak was introduced in April 2010 when a similar free() call was
>> removed for the test case when a DNS server returns a lone CNAME record.
>> (ipv6.google.com)
>
>free can handle NULL so you can skip the
>  if (a->dotted)
>test.

Applied, thanks!

More information about the uClibc mailing list