From eb1cd08a9be7b085076c14e3fd4507b33c786cc1 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 6 Apr 2010 15:37:14 +0200 Subject: uClibc: 0.9.31 dnslookup use after free fix Signed-off-by: Peter Korsgaard --- .../uClibc-0.9.31-dnslookup-use-after-free.patch | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch (limited to 'toolchain') diff --git a/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch b/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch new file mode 100644 index 000000000..9956d591a --- /dev/null +++ b/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch @@ -0,0 +1,36 @@ +From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 6 Apr 2010 09:55:19 +0200 +Subject: [PATCH] Fix use-after-free bug in __dns_lookup + +If the type of the first answer does not match with the requested type, +then the dotted name was freed. If there are no further answers in +the DNS reply, this pointer was used later on in the same function. +Additionally it is passed to the caller, and caused strange +behaviour. + +Signed-off-by: Gabor Juhos +Signed-off-by: Bernhard Reutner-Fischer +--- + libc/inet/resolv.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c +index 056539f..9459199 100644 +--- a/libc/inet/resolv.c ++++ b/libc/inet/resolv.c +@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name, + memcpy(a, &ma, sizeof(ma)); + if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) + break; +- if (a->atype != type) { +- free(a->dotted); ++ if (a->atype != type) + continue; +- } + a->add_count = h.ancount - j - 1; + if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) + break; +-- +1.7.0 + -- cgit v1.2.3