Fix use-after-free bug in __dns_lookup

If the type of the first answer does not match with the requested type, then the dotted name was freed. If there are no further answers in the DNS reply, this pointer was used later on in the same function. Additionally it is passed to the caller, and caused strange behaviour. Signed-off-by: Gabor Juhos <juhosg@openwrt.org> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
author: Gabor Juhos <juhosg@openwrt.org> 2010-04-06 09:55:19 +0200
committer: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> 2010-04-06 10:26:41 +0200
commit: fd8991cc59305a071e9f1765b3e1e09de9339bc3 (patch)
tree: 8c2b16e98ddf44e803a71b195d274d118ec68dad
parent: cd50d9a1c93bf1e02f4d4e2df4ece6c881f24719 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 056539f6e..9459199da 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const char *name,
 				memcpy(a, &ma, sizeof(ma));
 				if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
 					break;
-				if (a->atype != type) {
-					free(a->dotted);
+				if (a->atype != type)
 					continue;
-				}
 				a->add_count = h.ancount - j - 1;
 				if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
 					break;
author	Gabor Juhos <juhosg@openwrt.org>	2010-04-06 09:55:19 +0200
committer	Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>	2010-04-06 10:26:41 +0200
commit	fd8991cc59305a071e9f1765b3e1e09de9339bc3 (patch)
tree	8c2b16e98ddf44e803a71b195d274d118ec68dad
parent	cd50d9a1c93bf1e02f4d4e2df4ece6c881f24719 (diff)