You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
1.9 KiB
53 lines
1.9 KiB
15 years ago
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
||
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||
|
#
|
||
|
# Filename: package/.../uclibc/uClibc-0.9.31-dnslookup-use-after-free.patch
|
||
|
# Copyright (C) 2010 The OpenSDE Project
|
||
|
#
|
||
|
# More information can be found in the files COPYING and README.
|
||
|
#
|
||
|
# This patch file is dual-licensed. It is available under the license the
|
||
|
# patched project is licensed under, as long as it is an OpenSource license
|
||
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||
|
# of the GNU General Public License as published by the Free Software
|
||
|
# Foundation; either version 2 of the License, or (at your option) any later
|
||
|
# version.
|
||
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
||
|
|
||
|
From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001
|
||
|
From: Gabor Juhos <juhosg@openwrt.org>
|
||
|
Date: Tue, 6 Apr 2010 09:55:19 +0200
|
||
|
Subject: [PATCH] Fix use-after-free bug in __dns_lookup
|
||
|
|
||
|
If the type of the first answer does not match with the requested type,
|
||
|
then the dotted name was freed. If there are no further answers in
|
||
|
the DNS reply, this pointer was used later on in the same function.
|
||
|
Additionally it is passed to the caller, and caused strange
|
||
|
behaviour.
|
||
|
|
||
|
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
|
||
|
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
|
||
|
---
|
||
|
libc/inet/resolv.c | 4 +---
|
||
|
1 files changed, 1 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
|
||
|
index 056539f..9459199 100644
|
||
|
--- a/libc/inet/resolv.c
|
||
|
+++ b/libc/inet/resolv.c
|
||
|
@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
|
||
|
memcpy(a, &ma, sizeof(ma));
|
||
|
if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
|
||
|
break;
|
||
|
- if (a->atype != type) {
|
||
|
- free(a->dotted);
|
||
|
+ if (a->atype != type)
|
||
|
continue;
|
||
|
- }
|
||
|
a->add_count = h.ancount - j - 1;
|
||
|
if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
|
||
|
break;
|
||
|
--
|
||
|
1.7.0
|
||
|
|