From owner-freebsd-bugs@FreeBSD.ORG  Wed Jun 16 03:52:12 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F16616A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 16 Jun 2004 03:52:12 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 34E4B43D4C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 16 Jun 2004 03:52:12 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i5G3oMNp072425
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 16 Jun 2004 03:50:22 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i5G3oM4n072424;
	Wed, 16 Jun 2004 03:50:22 GMT
	(envelope-from gnats)
Resent-Date: Wed, 16 Jun 2004 03:50:22 GMT
Resent-Message-Id: <200406160350.i5G3oM4n072424@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	JINMEI Tatuya <jinmei@ocean.jinmei.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D21E616A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 16 Jun 2004 03:50:00 +0000 (GMT)
Received: from ocean.jinmei.org (kame201.kame.net [203.178.141.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37A1D43D5F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 16 Jun 2004 03:50:00 +0000 (GMT)
	(envelope-from jinmei@ocean.jinmei.org)
Received: by ocean.jinmei.org (Postfix, from userid 2308)
	id 4AFA633F; Wed, 16 Jun 2004 12:48:30 +0900 (JST)
Message-Id: <20040616034830.4AFA633F@ocean.jinmei.org>
Date: Wed, 16 Jun 2004 12:48:30 +0900 (JST)
From: JINMEI Tatuya <jinmei@ocean.jinmei.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/67994: getaddrinfo.c uses a dangling pointer
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: JINMEI Tatuya <jinmei@ocean.jinmei.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2004 03:52:12 -0000


>Number:         67994
>Category:       bin
>Synopsis:       getaddrinfo.c uses a dangling pointer
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 16 03:50:21 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     JINMEI Tatuya
>Release:        FreeBSD 4.9-RELEASE i386
>Organization:
The KAME Project
>Environment:
System: FreeBSD ocean.jinmei.org 4.9-RELEASE FreeBSD 4.9-RELEASE #36: Wed May 19 18:16:55 JST 2004 jinmei@ocean.jinmei.org:/home/jinmei/src/kame/kame/freebsd4/sys/compile/SS2010_SCTP i386

Machine: Toshiba Portege 2000
OS: see above
I'm using a KAME snapshot, but it should be irrelevant to this report.

>Description:

lib/libc/net/getaddrinfo.c:_dns_getaddrinfo() uses a dangling
(uninitialized) pointer "addr" in the res_target structure.
This could potentially make the library crash in e.g., the getanswer
function in this file.  Fortunately, however, the illegal pointer
access should actually not happen, since this pointer should always be
set correctly in getanswer() in this context.

But I believe the bug should be corrected for future changes that
might trigger the crash.

>How-To-Repeat:

None (the bug currently does not code an actual problem).

>Fix:

Apply the below patch.  Apparently, the CURRENT also needs this fix.

Index: getaddrinfo.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/net/getaddrinfo.c,v
retrieving revision 1.9.2.14
diff -u -r1.9.2.14 getaddrinfo.c
--- getaddrinfo.c	8 Nov 2002 17:49:31 -0000	1.9.2.14
+++ getaddrinfo.c	16 Jun 2004 03:26:47 -0000
@@ -1493,7 +1493,6 @@
 {
 	struct addrinfo *ai;
 	querybuf *buf, *buf2;
-	const char *name;
 	struct addrinfo sentinel, *cur;
 	struct res_target q, q2;
 
@@ -1517,27 +1516,27 @@
 	switch (pai->ai_family) {
 	case AF_UNSPEC:
 		/* prefer IPv6 */
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_AAAA;
 		q.answer = buf->buf;
 		q.anslen = sizeof(buf->buf);
 		q.next = &q2;
-		q2.name = name;
+		q2.name = hostname;
 		q2.qclass = C_IN;
 		q2.qtype = T_A;
 		q2.answer = buf2->buf;
 		q2.anslen = sizeof(buf2->buf);
 		break;
 	case AF_INET:
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_A;
 		q.answer = buf->buf;
 		q.anslen = sizeof(buf->buf);
 		break;
 	case AF_INET6:
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_AAAA;
 		q.answer = buf->buf;

>Release-Note:
>Audit-Trail:
>Unformatted: