1
0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-23 23:16:16 +02:00

uClibc: fix free-after-use bug in __dns_lookup (closes #6886)

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@20384 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
juhosg 2010-03-23 08:12:24 +00:00
parent 198af96941
commit fadc950fd9
3 changed files with 135 additions and 0 deletions

View File

@ -0,0 +1,45 @@
From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001
From: Gabor Juhos <juhosg@openwrt.org>
Date: Tue, 23 Mar 2010 08:35:27 +0100
Subject: [PATCH] Fix use-after-free bug in __dns_lookup.
If the type of the first answer does not match with the requested type,
then the dotted name will be freed. If there are no further answers in
the DNS reply, this pointer will be used later on in the same function.
Additionally it is passed to the caller, and may cause strange behaviour.
For example, the following busybox commands are triggering a segmentation
fault with uClibc 0.9.30.x
- nslookup ipv6.google.com
- ping ipv6.google.com
- wget http//ipv6.google.com/
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
---
See https://dev.openwrt.org/ticket/6886 for a testcase
---
libc/inet/resolv.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 0a6fd7a..e76f0aa 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name,
memcpy(a, &ma, sizeof(ma));
if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
break;
- if (a->atype != type) {
- free(a->dotted);
+ if (a->atype != type)
continue;
- }
a->add_count = h.ancount - j - 1;
if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
break;
--
1.5.3.2

View File

@ -0,0 +1,45 @@
From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001
From: Gabor Juhos <juhosg@openwrt.org>
Date: Tue, 23 Mar 2010 08:35:27 +0100
Subject: [PATCH] Fix use-after-free bug in __dns_lookup.
If the type of the first answer does not match with the requested type,
then the dotted name will be freed. If there are no further answers in
the DNS reply, this pointer will be used later on in the same function.
Additionally it is passed to the caller, and may cause strange behaviour.
For example, the following busybox commands are triggering a segmentation
fault with uClibc 0.9.30.x
- nslookup ipv6.google.com
- ping ipv6.google.com
- wget http//ipv6.google.com/
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
---
See https://dev.openwrt.org/ticket/6886 for a testcase
---
libc/inet/resolv.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 0a6fd7a..e76f0aa 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name,
memcpy(a, &ma, sizeof(ma));
if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
break;
- if (a->atype != type) {
- free(a->dotted);
+ if (a->atype != type)
continue;
- }
a->add_count = h.ancount - j - 1;
if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
break;
--
1.5.3.2

View File

@ -0,0 +1,45 @@
From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001
From: Gabor Juhos <juhosg@openwrt.org>
Date: Tue, 23 Mar 2010 08:35:27 +0100
Subject: [PATCH] Fix use-after-free bug in __dns_lookup.
If the type of the first answer does not match with the requested type,
then the dotted name will be freed. If there are no further answers in
the DNS reply, this pointer will be used later on in the same function.
Additionally it is passed to the caller, and may cause strange behaviour.
For example, the following busybox commands are triggering a segmentation
fault with uClibc 0.9.30.x
- nslookup ipv6.google.com
- ping ipv6.google.com
- wget http//ipv6.google.com/
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
---
See https://dev.openwrt.org/ticket/6886 for a testcase
---
libc/inet/resolv.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 0a6fd7a..e76f0aa 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name,
memcpy(a, &ma, sizeof(ma));
if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
break;
- if (a->atype != type) {
- free(a->dotted);
+ if (a->atype != type)
continue;
- }
a->add_count = h.ancount - j - 1;
if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
break;
--
1.5.3.2