package-update/base/uclibc/uClibc-0.9.31-dnslookup-use-after-free.patch

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../uclibc/uClibc-0.9.31-dnslookup-use-after-free.patch
# Copyright (C) 2010 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---

From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001
From: Gabor Juhos <juhosg@openwrt.org>
Date: Tue, 6 Apr 2010 09:55:19 +0200
Subject: [PATCH] Fix use-after-free bug in __dns_lookup

If the type of the first answer does not match with the requested type,
then the dotted name was freed. If there are no further answers in
the DNS reply, this pointer was used later on in the same function.
Additionally it is passed to the caller, and caused strange
behaviour.

Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
---
 libc/inet/resolv.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 056539f..9459199 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
 				memcpy(a, &ma, sizeof(ma));
 				if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
 					break;
-				if (a->atype != type) {
-					free(a->dotted);
+				if (a->atype != type)
 					continue;
-				}
 				a->add_count = h.ancount - j - 1;
 				if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
 					break;
-- 
1.7.0