diff options
| -rw-r--r-- | toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch | 36 | 
1 files changed, 36 insertions, 0 deletions
| diff --git a/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch b/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch new file mode 100644 index 000000000..9956d591a --- /dev/null +++ b/toolchain/uClibc/uClibc-0.9.31-dnslookup-use-after-free.patch @@ -0,0 +1,36 @@ +From eb1d8c8289f466ba3ad10b9a88ab2e426b8a9dc7 Mon Sep 17 00:00:00 2001 +From: Gabor Juhos <juhosg@openwrt.org> +Date: Tue, 6 Apr 2010 09:55:19 +0200 +Subject: [PATCH] Fix use-after-free bug in __dns_lookup + +If the type of the first answer does not match with the requested type, +then the dotted name was freed. If there are no further answers in +the DNS reply, this pointer was used later on in the same function. +Additionally it is passed to the caller, and caused strange +behaviour. + +Signed-off-by: Gabor Juhos <juhosg@openwrt.org> +Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> +--- + libc/inet/resolv.c |    4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c +index 056539f..9459199 100644 +--- a/libc/inet/resolv.c ++++ b/libc/inet/resolv.c +@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name, + 				memcpy(a, &ma, sizeof(ma)); + 				if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) + 					break; +-				if (a->atype != type) { +-					free(a->dotted); ++				if (a->atype != type) + 					continue; +-				} + 				a->add_count = h.ancount - j - 1; + 				if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) + 					break; +--  +1.7.0 + | 
