diff options
author | Gabor Juhos <juhosg@openwrt.org> | 2010-04-06 09:55:19 +0200 |
---|---|---|
committer | Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> | 2010-04-06 10:26:41 +0200 |
commit | fd8991cc59305a071e9f1765b3e1e09de9339bc3 (patch) | |
tree | 8c2b16e98ddf44e803a71b195d274d118ec68dad /libc/inet | |
parent | cd50d9a1c93bf1e02f4d4e2df4ece6c881f24719 (diff) |
Fix use-after-free bug in __dns_lookup
If the type of the first answer does not match with the requested type,
then the dotted name was freed. If there are no further answers in
the DNS reply, this pointer was used later on in the same function.
Additionally it is passed to the caller, and caused strange
behaviour.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
Diffstat (limited to 'libc/inet')
-rw-r--r-- | libc/inet/resolv.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c index 056539f6e..9459199da 100644 --- a/libc/inet/resolv.c +++ b/libc/inet/resolv.c @@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name, memcpy(a, &ma, sizeof(ma)); if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) break; - if (a->atype != type) { - free(a->dotted); + if (a->atype != type) continue; - } a->add_count = h.ancount - j - 1; if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) break; |