Date: Wed, 16 Jun 2004 12:48:30 +0900 (JST) From: JINMEI Tatuya <jinmei@ocean.jinmei.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/67994: getaddrinfo.c uses a dangling pointer Message-ID: <20040616034830.4AFA633F@ocean.jinmei.org> Resent-Message-ID: <200406160350.i5G3oM4n072424@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67994
>Category: bin
>Synopsis: getaddrinfo.c uses a dangling pointer
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 16 03:50:21 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: JINMEI Tatuya
>Release: FreeBSD 4.9-RELEASE i386
>Organization:
The KAME Project
>Environment:
System: FreeBSD ocean.jinmei.org 4.9-RELEASE FreeBSD 4.9-RELEASE #36: Wed May 19 18:16:55 JST 2004 jinmei@ocean.jinmei.org:/home/jinmei/src/kame/kame/freebsd4/sys/compile/SS2010_SCTP i386
Machine: Toshiba Portege 2000
OS: see above
I'm using a KAME snapshot, but it should be irrelevant to this report.
>Description:
lib/libc/net/getaddrinfo.c:_dns_getaddrinfo() uses a dangling
(uninitialized) pointer "addr" in the res_target structure.
This could potentially make the library crash in e.g., the getanswer
function in this file. Fortunately, however, the illegal pointer
access should actually not happen, since this pointer should always be
set correctly in getanswer() in this context.
But I believe the bug should be corrected for future changes that
might trigger the crash.
>How-To-Repeat:
None (the bug currently does not code an actual problem).
>Fix:
Apply the below patch. Apparently, the CURRENT also needs this fix.
Index: getaddrinfo.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/net/getaddrinfo.c,v
retrieving revision 1.9.2.14
diff -u -r1.9.2.14 getaddrinfo.c
--- getaddrinfo.c 8 Nov 2002 17:49:31 -0000 1.9.2.14
+++ getaddrinfo.c 16 Jun 2004 03:26:47 -0000
@@ -1493,7 +1493,6 @@
{
struct addrinfo *ai;
querybuf *buf, *buf2;
- const char *name;
struct addrinfo sentinel, *cur;
struct res_target q, q2;
@@ -1517,27 +1516,27 @@
switch (pai->ai_family) {
case AF_UNSPEC:
/* prefer IPv6 */
- q.name = name;
+ q.name = hostname;
q.qclass = C_IN;
q.qtype = T_AAAA;
q.answer = buf->buf;
q.anslen = sizeof(buf->buf);
q.next = &q2;
- q2.name = name;
+ q2.name = hostname;
q2.qclass = C_IN;
q2.qtype = T_A;
q2.answer = buf2->buf;
q2.anslen = sizeof(buf2->buf);
break;
case AF_INET:
- q.name = name;
+ q.name = hostname;
q.qclass = C_IN;
q.qtype = T_A;
q.answer = buf->buf;
q.anslen = sizeof(buf->buf);
break;
case AF_INET6:
- q.name = name;
+ q.name = hostname;
q.qclass = C_IN;
q.qtype = T_AAAA;
q.answer = buf->buf;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040616034830.4AFA633F>