This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

From: Andreas Schwab <schwab at suse dot de>
To: libc-alpha at sourceware dot org
Date: Thu, 13 Feb 2014 12:59:12 +0100
Subject: [PATCH] Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer
Authentication-results: sourceware.org; auth=none

As described in the BZ big DNS answers that trigger the allocation of a
second answer buffer causes the allocation to be lost by the nss_dns
module.  In the failure case the deallocation is already handled by
__libc_res_nsearch.

Andreas.

	[BZ #16574]
	* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Free the
	second answer buffer if it was separately allocated.

diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index 541c25a..365de70 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -298,13 +298,14 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 	name = cp;
     }
 
+  int anslen = 2048;
   union
   {
     querybuf *buf;
     u_char *ptr;
   } host_buffer;
   querybuf *orig_host_buffer;
-  host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);
+  host_buffer.buf = orig_host_buffer = (querybuf *) alloca (anslen);
   u_char *ans2p = NULL;
   int nans2p = 0;
   int resplen2 = 0;
@@ -312,7 +313,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
   int olderr = errno;
   enum nss_status status;
   int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
-			      host_buffer.buf->buf, 2048, &host_buffer.ptr,
+			      host_buffer.buf->buf, anslen, &host_buffer.ptr,
 			      &ans2p, &nans2p, &resplen2);
   if (n < 0)
     {
@@ -352,6 +353,13 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 			  resplen2, name, pat, buffer, buflen,
 			  errnop, herrnop, ttlp);
 
+  /* Check whether ans2p was separately allocated.  */
+  if (host_buffer.buf != orig_host_buffer)
+    anslen = MAXPACKET;
+  if (ans2p != NULL
+      && (ans2p < host_buffer.ptr || ans2p >= host_buffer.ptr + anslen))
+    free (ans2p);
+
   if (host_buffer.buf != orig_host_buffer)
     free (host_buffer.buf);
 
-- 
1.8.5.4

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Follow-Ups:
- Re: [PATCH] Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer
  - From: OndÅej BÃlka
- Re: [PATCH] Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer
  - From: Andreas Schwab

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]