| 1 | From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001 |
| 2 | From: Gabor Juhos <juhosg@openwrt.org> |
| 3 | Date: Tue, 23 Mar 2010 08:35:27 +0100 |
| 4 | Subject: [PATCH] Fix use-after-free bug in __dns_lookup. |
| 5 | |
| 6 | If the type of the first answer does not match with the requested type, |
| 7 | then the dotted name will be freed. If there are no further answers in |
| 8 | the DNS reply, this pointer will be used later on in the same function. |
| 9 | Additionally it is passed to the caller, and may cause strange behaviour. |
| 10 | |
| 11 | For example, the following busybox commands are triggering a segmentation |
| 12 | fault with uClibc 0.9.30.x |
| 13 | |
| 14 | - nslookup ipv6.google.com |
| 15 | - ping ipv6.google.com |
| 16 | - wget http//ipv6.google.com/ |
| 17 | |
| 18 | Signed-off-by: Gabor Juhos <juhosg@openwrt.org> |
| 19 | |
| 20 | --- |
| 21 | |
| 22 | See https://dev.openwrt.org/ticket/6886 for a testcase |
| 23 | --- |
| 24 | libc/inet/resolv.c | 4 +--- |
| 25 | 1 files changed, 1 insertions(+), 3 deletions(-) |
| 26 | |
| 27 | diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c |
| 28 | index 0a6fd7a..e76f0aa 100644 |
| 29 | --- a/libc/inet/resolv.c |
| 30 | +++ b/libc/inet/resolv.c |
| 31 | @@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name, |
| 32 | memcpy(a, &ma, sizeof(ma)); |
| 33 | if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) |
| 34 | break; |
| 35 | - if (a->atype != type) { |
| 36 | - free(a->dotted); |
| 37 | + if (a->atype != type) |
| 38 | continue; |
| 39 | - } |
| 40 | a->add_count = h.ancount - j - 1; |
| 41 | if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) |
| 42 | break; |
| 43 | -- |
| 44 | 1.5.3.2 |
| 45 | |
| 46 | |
