|
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---# This copyright note is auto-generated by ./scripts/Create-CopyPatch.## Filename: package/.../uclibc/uClibc-0.9.31-dnslookup-use-after-free.patch# Copyright (C) 2010 The OpenSDE Project## More information can be found in the files COPYING and README.## This patch file is dual-licensed. It is available under the license the# patched project is licensed under, as long as it is an OpenSource license# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms# of the GNU General Public License as published by the Free Software# Foundation; either version 2 of the License, or (at your option) any later# version.# --- SDE-COPYRIGHT-NOTE-END ---
From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001From: Gabor Juhos <juhosg@openwrt.org>Date: Tue, 6 Apr 2010 09:55:19 +0200Subject: [PATCH] Fix use-after-free bug in __dns_lookup
If the type of the first answer does not match with the requested type,then the dotted name was freed. If there are no further answers inthe DNS reply, this pointer was used later on in the same function.Additionally it is passed to the caller, and caused strangebehaviour.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>---
libc/inet/resolv.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 056539f..9459199 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
memcpy(a, &ma, sizeof(ma)); if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) break;- if (a->atype != type) {
- free(a->dotted);
+ if (a->atype != type)
continue;- }
a->add_count = h.ancount - j - 1; if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) break;--
1.7.0
|
