| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001
- From: Gabor Juhos <[email protected]>
- Date: Tue, 23 Mar 2010 08:35:27 +0100
- Subject: [PATCH] Fix use-after-free bug in __dns_lookup.
- If the type of the first answer does not match with the requested type,
- then the dotted name will be freed. If there are no further answers in
- the DNS reply, this pointer will be used later on in the same function.
- Additionally it is passed to the caller, and may cause strange behaviour.
- For example, the following busybox commands are triggering a segmentation
- fault with uClibc 0.9.30.x
- - nslookup ipv6.google.com
- - ping ipv6.google.com
- - wget http//ipv6.google.com/
- Signed-off-by: Gabor Juhos <[email protected]>
- ---
- See https://dev.openwrt.org/ticket/6886 for a testcase
- ---
- libc/inet/resolv.c | 4 +---
- 1 files changed, 1 insertions(+), 3 deletions(-)
- diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
- index 0a6fd7a..e76f0aa 100644
- --- a/libc/inet/resolv.c
- +++ b/libc/inet/resolv.c
- @@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name,
- memcpy(a, &ma, sizeof(ma));
- if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
- break;
- - if (a->atype != type) {
- - free(a->dotted);
- + if (a->atype != type)
- continue;
- - }
- a->add_count = h.ancount - j - 1;
- if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
- break;
- --
- 1.5.3.2
|
