Bug 499 - Two instances of 'memory use after free' in val_neg.c
Two instances of 'memory use after free' in val_neg.c
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
All All
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-15 17:16 CEST by Jake Montgomery
Modified: 2013-05-16 09:37 CEST (History)
1 user (show)

See Also:


Attachments
Proposed fix for the unbound-1.4.20 version of val_neg.c (548 bytes, patch)
2013-05-15 17:16 CEST, Jake Montgomery
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jake Montgomery 2013-05-15 17:16:16 CEST
Created attachment 222 [details]
Proposed fix for the unbound-1.4.20 version of val_neg.c

This bug appears in the most recent 1.4.20, and has existed since, at least, 1.4.12 (the oldest I checked.) 

There are two instances of the following lines in val_neg.c:

free(p);
free(p->name);

This clearly accesses p->name after p has been freed. Attached is a patch with a proposed fix, for the unbound-1.4.20 version of val_neg.c
Comment 1 Wouter Wijngaards 2013-05-16 09:37:13 CEST
Hi Jake,

Thank you for this patch!  I have applied it to the source code.

The two snippets only happen if unbound runs out of memory in the neg_setup_x_node() functions, so it likely had little impact for normal users.  The fix allows unbound to continue work after an out-of-memory condition has been hit.

Best regards,
   Wouter