public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc/siddhesh/gai-cleanup2] gaih_inet: Fix CONTINUE and MERGE actions [BZ #28931]
@ 2022-03-01 2:41 Siddhesh Poyarekar
0 siblings, 0 replies; only message in thread
From: Siddhesh Poyarekar @ 2022-03-01 2:41 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=878e14b58f8d70addb5a77c0d906a29c1195acd7
commit 878e14b58f8d70addb5a77c0d906a29c1195acd7
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Mon Feb 28 14:52:05 2022 +0530
gaih_inet: Fix CONTINUE and MERGE actions [BZ #28931]
The SUCCESS=MERGE action ends up writing to the same scratch buffer, in
some cases referencing freed or invalid memory. Allocate proper memory
for gethostbyname4_r lookups instead of using the scratch buffer so that
all results are properly added in.
SUCCESS=CONTINUE was acting the same as merge, which is incorrect.
Flush existing results and start over if CONTINUE is encountered.
Resolves: BZ #28931
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diff:
---
sysdeps/posix/getaddrinfo.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 0173397fe1..43a8c7e266 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -864,10 +864,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
if (res_ctx == NULL)
no_more = 1;
- at = __alloca (sizeof (*at));
- at->next = NULL;
- at->family = AF_UNSPEC;
-
while (!no_more)
{
no_data = 0;
@@ -880,10 +876,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
if (fct4 != NULL)
{
+ size_t length = 1024;
+ char *buf = malloc (length);
+
while (1)
{
+ *pat = NULL;
status = DL_CALL_FCT (fct4, (name, pat,
- tmpbuf->data, tmpbuf->length,
+ buf, length,
&errno, &h_errno,
NULL));
if (status == NSS_STATUS_SUCCESS)
@@ -898,7 +898,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
break;
}
- if (!scratch_buffer_grow (tmpbuf))
+ length *= 2;
+ free (buf);
+ if ((buf = malloc (length)) == NULL)
{
__resolv_context_put (res_ctx);
result = -EAI_MEMORY;
@@ -906,6 +908,12 @@ gaih_inet (const char *name, const struct gaih_service *service,
}
}
+ if (!gaih_lookup_result_push_alloc (&res, buf))
+ {
+ result = -EAI_MEMORY;
+ goto free_and_return;
+ }
+
if (status == NSS_STATUS_SUCCESS)
{
assert (!no_data);
@@ -1037,6 +1045,17 @@ gaih_inet (const char *name, const struct gaih_service *service,
if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
break;
+ /* Discard the previous result on CONTINUE. Allocations will get
+ freed at the end with func_cleanup, so only adjust PAT and free
+ CANONBUF if it was allocated. */
+ if (nss_next_action (nip, status) == NSS_ACTION_CONTINUE)
+ {
+ at = NULL;
+ pat = &at;
+ free (canonbuf);
+ canon = canonbuf = NULL;
+ }
+
nip++;
if (nip->module == NULL)
no_more = -1;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-01 2:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-01 2:41 [glibc/siddhesh/gai-cleanup2] gaih_inet: Fix CONTINUE and MERGE actions [BZ #28931] Siddhesh Poyarekar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).