diff options
author | Andreas Schwab <schwab@suse.de> | 2014-02-18 10:57:25 +0100 |
---|---|---|
committer | Andreas Schwab <schwab@suse.de> | 2014-02-19 14:39:21 +0100 |
commit | ab09bf616ad527b249aca5f2a4956fd526f0712f (patch) | |
tree | 8983f676bf5ac2c5e418a4276dcd25f28755ea70 /resolv/nss_dns/dns-host.c | |
parent | c6af2d896ce07740ad5170eaed3c0bb7720e079e (diff) | |
download | glibc-ab09bf616ad527b249aca5f2a4956fd526f0712f.tar.gz glibc-ab09bf616ad527b249aca5f2a4956fd526f0712f.tar.xz glibc-ab09bf616ad527b249aca5f2a4956fd526f0712f.zip |
Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer
Instead of trying to guess whether the second buffer needs to be freed set a flag at the place it is allocated
Diffstat (limited to 'resolv/nss_dns/dns-host.c')
-rw-r--r-- | resolv/nss_dns/dns-host.c | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index 47f998c239..a5f2c0a1fe 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -190,7 +190,7 @@ _nss_dns_gethostbyname3_r (const char *name, int af, struct hostent *result, host_buffer.buf = orig_host_buffer = (querybuf *) alloca (1024); n = __libc_res_nsearch (&_res, name, C_IN, type, host_buffer.buf->buf, - 1024, &host_buffer.ptr, NULL, NULL, NULL); + 1024, &host_buffer.ptr, NULL, NULL, NULL, NULL); if (n < 0) { switch (errno) @@ -225,7 +225,7 @@ _nss_dns_gethostbyname3_r (const char *name, int af, struct hostent *result, n = __libc_res_nsearch (&_res, name, C_IN, T_A, host_buffer.buf->buf, host_buffer.buf != orig_host_buffer ? MAXPACKET : 1024, &host_buffer.ptr, - NULL, NULL, NULL); + NULL, NULL, NULL, NULL); if (n < 0) { @@ -298,23 +298,23 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, name = cp; } - int anslen = 2048; union { querybuf *buf; u_char *ptr; } host_buffer; querybuf *orig_host_buffer; - host_buffer.buf = orig_host_buffer = (querybuf *) alloca (anslen); + host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048); u_char *ans2p = NULL; int nans2p = 0; int resplen2 = 0; + int ans2p_malloced = 0; int olderr = errno; enum nss_status status; int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC, - host_buffer.buf->buf, anslen, &host_buffer.ptr, - &ans2p, &nans2p, &resplen2); + host_buffer.buf->buf, 2048, &host_buffer.ptr, + &ans2p, &nans2p, &resplen2, &ans2p_malloced); if (n >= 0) { status = gaih_getanswer (host_buffer.buf, n, (const querybuf *) ans2p, @@ -351,10 +351,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, } /* Check whether ans2p was separately allocated. */ - if (host_buffer.buf != orig_host_buffer) - anslen = MAXPACKET; - if (ans2p != NULL - && (ans2p < host_buffer.ptr || ans2p >= host_buffer.ptr + anslen)) + if (ans2p_malloced) free (ans2p); if (host_buffer.buf != orig_host_buffer) @@ -465,7 +462,7 @@ _nss_dns_gethostbyaddr2_r (const void *addr, socklen_t len, int af, strcpy (qp, "].ip6.arpa"); n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR, host_buffer.buf->buf, 1024, &host_buffer.ptr, - NULL, NULL, NULL); + NULL, NULL, NULL, NULL); if (n >= 0) goto got_it_already; } @@ -486,14 +483,14 @@ _nss_dns_gethostbyaddr2_r (const void *addr, socklen_t len, int af, } n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR, host_buffer.buf->buf, - 1024, &host_buffer.ptr, NULL, NULL, NULL); + 1024, &host_buffer.ptr, NULL, NULL, NULL, NULL); if (n < 0 && af == AF_INET6 && (_res.options & RES_NOIP6DOTINT) == 0) { strcpy (qp, "ip6.int"); n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR, host_buffer.buf->buf, host_buffer.buf != orig_host_buffer ? MAXPACKET : 1024, &host_buffer.ptr, - NULL, NULL, NULL); + NULL, NULL, NULL, NULL); } if (n < 0) { |