Bugzilla – Bug 499
Two instances of 'memory use after free' in val_neg.c
Last modified: 2013-05-16 09:37:13 CEST
Created attachment 222 [details]
Proposed fix for the unbound-1.4.20 version of val_neg.c
This bug appears in the most recent 1.4.20, and has existed since, at least, 1.4.12 (the oldest I checked.)
There are two instances of the following lines in val_neg.c:
This clearly accesses p->name after p has been freed. Attached is a patch with a proposed fix, for the unbound-1.4.20 version of val_neg.c
Thank you for this patch! I have applied it to the source code.
The two snippets only happen if unbound runs out of memory in the neg_setup_x_node() functions, so it likely had little impact for normal users. The fix allows unbound to continue work after an out-of-memory condition has been hit.