Re: [PATCH] Fix use-after-free bug in __dns_lookup.

Wed, 31 Mar 2010 07:17:24 -0700 

On Tue, Mar 23, 2010 at 09:18:21AM +0100, Gabor Juhos wrote:
>If the type of the first answer does not match with the requested type,
>then the dotted name will be freed. If there are no further answers in
>the DNS reply, this pointer will be used later on in the same function.
>Additionally it is passed to the caller, and may cause strange behaviour.
>
>For example, the following busybox commands are triggering a segmentation
>fault with uClibc 0.9.30.x

I cannot reproduce this with attached test program with 0.9.31-rc1 (or
current master)?

#include <string.h>
#include <stdio.h>
#include <netdb.h>
#include <sys/socket.h>
int main(int argc, char**argv) {
	unsigned int addr_count = 0;
	char addr[1024];
#ifdef NAME2
	char *chp;
	struct hostent *result;

	if (argc < 2 || argv[argc-1] == NULL) return 1;
	result = gethostbyname2(argv[argc-1],AF_INET);
	if (!result) return 2;
	printf("name   : %s\nfam    : %d\naddrlen: %d\n", result->h_name, result->h_addrtype, result->h_length);
	while (result->h_addr_list[addr_count]) {
		inet_ntop(result->h_addrtype, result->h_addr_list[addr_count++], &addr, sizeof(addr));
		printf("addr   : %s\n", addr);
	}
	printf("total %d addresses\n", addr_count);
	printf("aliases:");
	chp = *result->h_aliases;
	while ((chp = *(result->h_aliases++)))
		printf(" %s", chp);
	printf("\n");

	return 0;
#else
	char buf[1024];
	struct hostent rbuf, *result;
	int herrno, ret;
	char *chp;

	if (argc < 2 || argv[argc-1] == NULL) return 1;
	memset(&rbuf, 0, sizeof rbuf);
	ret = gethostbyname_r(argv[argc-1], &rbuf, buf, sizeof(buf), &result, &herrno);
	if (ret || !result) return 2;
	printf("name   : %s\nfam    : %d\naddrlen: %d\n", result->h_name, result->h_addrtype, result->h_length);
	while (result->h_addr_list[addr_count]) {
		inet_ntop(result->h_addrtype, result->h_addr_list[addr_count++], &addr, sizeof(addr));
		printf("addr   : %s\n", addr);
	}
	printf("total %d addresses\n", addr_count);
	printf("aliases:");
	chp = *result->h_aliases;
	while ((chp = *(result->h_aliases++)))
		printf(" %s", chp);
	printf("\n");
	return ret;
#endif
}

_______________________________________________
uClibc mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/uclibc

Reply via email to