small memory leak in libc/inet/resolv.c

Timothy Holdener tgh1138 at acm.org
Thu Oct 13 23:50:27 UTC 2011 

We've discovered a small memory leak in __dns_lookup() when the A record 
in the DNS answer is preceded by one or more CNAME records.

This can be reproduced by performing a gethostbyname() lookup on
"www.google.com" or "www.yahoo.com".  After each CNAME record,
__dns_lookup() leaks by 256 bytes.

=====================================
The problem code is in this segment:

        first_answer = 1;
        for (j = 0; j < h.ancount; j++) {
            i = __decode_answer(packet, pos, packet_len, &ma);

            <...snipped code for brevity...>

            if (first_answer) {
                ma.buf = a->buf;
                ma.buflen = a->buflen;
                ma.add_count = a->add_count;
                memcpy(a, &ma, sizeof(ma));
                if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
                    break;
                if (a->atype != type)
                    continue;
                a->add_count = h.ancount - j - 1;
                if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen)
                    break;
                a->add_count = 0;
                first_answer = 0;
            } else {
=====================================

On the first time through the loop (j == 0) with the CNAME record, 
ma.dotted is alloc'ed using a strdup() in decode_answer(), and memcpy() 
copies it to a->dotted. The loop is continued at "if (a->atype != type)".

On the second time through the loop (j == 1), ma.dotted is again 
alloc'ed in decode_answer().  Now we have two allocated segments, one
pointed-to by ma.dotted, and the other pointed-to by a->dotted.
But memcpy() will over-write the pointer stored at a->dotted.

My proposed solution is to check a->dotted before the memcpy() and free() 
it if it is non-NULL. (See the attached patch.)

I've tested my solution with a number of different public DNS servers
resolving a variety of names, but we're using an older version of uClibc.

This leak was introduced in April 2010 when a similar free() call was
removed for the test case when a DNS server returns a lone CNAME record.
(ipv6.google.com)

-- 
Tim Holdener
-------------- next part --------------
--- uClibc-0.9.32.orig/libc/inet/resolv.c	2011-10-12 04:28:18.000000000 -0700
+++ uClibc-0.9.32/libc/inet/resolv.c	2011-10-13 15:59:05.000000000 -0700
@@ -1503,6 +1503,7 @@
 		DPRINTF("Decoding answer at pos %d\n", pos);
 
 		first_answer = 1;
+		a->dotted = NULL;
 		for (j = 0; j < h.ancount; j++) {
 			i = __decode_answer(packet, pos, packet_len, &ma);
 			if (i < 0) {
@@ -1519,6 +1520,8 @@
 				ma.buf = a->buf;
 				ma.buflen = a->buflen;
 				ma.add_count = a->add_count;
+				if (a->dotted)
+					free(a->dotted);
 				memcpy(a, &ma, sizeof(ma));
 				if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA)))
 					break;

More information about the uClibc mailing list