[package] uhttpd: fix bug in path canonization introduced by r20883
[openwrt.git] / toolchain / uClibc / patches-0.9.30.3 / 902-Fix-use-after-free-bug-in-__dns_lookup.patch
1 From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001
2 From: Gabor Juhos <juhosg@openwrt.org>
3 Date: Tue, 23 Mar 2010 08:35:27 +0100
4 Subject: [PATCH] Fix use-after-free bug in __dns_lookup.
5
6 If the type of the first answer does not match with the requested type,
7 then the dotted name will be freed. If there are no further answers in
8 the DNS reply, this pointer will be used later on in the same function.
9 Additionally it is passed to the caller, and may cause strange behaviour.
10
11 For example, the following busybox commands are triggering a segmentation
12 fault with uClibc 0.9.30.x
13
14 - nslookup ipv6.google.com
15 - ping ipv6.google.com
16 - wget http//ipv6.google.com/
17
18 Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
19
20 ---
21
22 See https://dev.openwrt.org/ticket/6886 for a testcase
23 ---
24 libc/inet/resolv.c | 4 +---
25 1 files changed, 1 insertions(+), 3 deletions(-)
26
27 diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
28 index 0a6fd7a..e76f0aa 100644
29 --- a/libc/inet/resolv.c
30 +++ b/libc/inet/resolv.c
31 @@ -1501,10 +1501,8 @@ int attribute_hidden __dns_lookup(const char *name,
32 memcpy(a, &ma, sizeof(ma));
33 if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
34 break;
35 - if (a->atype != type) {
36 - free(a->dotted);
37 + if (a->atype != type)
38 continue;
39 - }
40 a->add_count = h.ancount - j - 1;
41 if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
42 break;
43 --
44 1.5.3.2
45
This page took 0.043013 seconds and 5 git commands to generate.