Bug 499

Summary: Two instances of 'memory use after free' in val_neg.c
Product: unbound Reporter: Jake Montgomery <jacobmdrop>
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: normal CC: wouter
Priority: P5    
Version: unspecified   
Hardware: All   
OS: All   
Attachments: Proposed fix for the unbound-1.4.20 version of val_neg.c

Description Jake Montgomery 2013-05-15 17:16:16 CEST
Created attachment 222 [details]
Proposed fix for the unbound-1.4.20 version of val_neg.c

This bug appears in the most recent 1.4.20, and has existed since, at least, 1.4.12 (the oldest I checked.) 

There are two instances of the following lines in val_neg.c:

free(p);
free(p->name);

This clearly accesses p->name after p has been freed. Attached is a patch with a proposed fix, for the unbound-1.4.20 version of val_neg.c
Comment 1 Wouter Wijngaards 2013-05-16 09:37:13 CEST
Hi Jake,

Thank you for this patch!  I have applied it to the source code.

The two snippets only happen if unbound runs out of memory in the neg_setup_x_node() functions, so it likely had little impact for normal users.  The fix allows unbound to continue work after an out-of-memory condition has been hit.

Best regards,
   Wouter