fixes #1079 Use after free panic in tcp_dialerv1.2.3

3 files changed, 29 insertions, 7 deletions

diff --git a/src/platform/posix/posix_resolv_gai.c b/src/platform/posix/posix_resolv_gai.c
index 4bf9d2ec..4b03a95e 100644
--- a/src/platform/posix/posix_resolv_gai.c
+++ b/src/platform/posix/posix_resolv_gai.c
@@ -42,7 +42,7 @@ typedef struct resolv_item resolv_item;
 struct resolv_item {
 	int          family;
 	int          passive;
-	const char * name;
+	char *       name;
 	int          proto;
 	int          socktype;
 	uint16_t     port;
@@ -67,6 +67,7 @@ resolv_cancel(nni_aio *aio, void *arg, int rv)
 		// so we can just discard everything.
 		nni_aio_list_remove(aio);
 		nni_mtx_unlock(&resolv_mtx);
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 	} else {
 		// This case indicates the resolver is still processing our
@@ -253,9 +254,18 @@ resolv_ip(const char *host, const char *serv, int passive, int family,
 		return;
 	}
 
-	// NB: host and serv must remain valid until this is completed.
+	// NB: must remain valid until this is completed.  So we have to
+	// make our own copy.
+
+	if (host == NULL) {
+		item->name = NULL;
+	} else if ((item->name = nni_strdup(host)) == NULL) {
+		NNI_FREE_STRUCT(item);
+		nni_aio_finish_error(aio, NNG_ENOMEM);
+		return;
+	}
+
 	memset(&item->sa, 0, sizeof(item->sa));
-	item->name     = host;
 	item->proto    = proto;
 	item->aio      = aio;
 	item->family   = fam;
@@ -272,6 +282,7 @@ resolv_ip(const char *host, const char *serv, int passive, int family,
 	}
 	if (rv != 0) {
 		nni_mtx_unlock(&resolv_mtx);
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 		nni_aio_finish_error(aio, rv);
 		return;
@@ -332,6 +343,7 @@ resolv_worker(void *unused)
 			nni_aio_set_sockaddr(aio, &item->sa);
 			nni_aio_finish(aio, rv, 0);
 		}
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 	}
 	nni_mtx_unlock(&resolv_mtx);
diff --git a/src/platform/windows/win_resolv.c b/src/platform/windows/win_resolv.c
index 745f03d1..ff356700 100644
--- a/src/platform/windows/win_resolv.c
+++ b/src/platform/windows/win_resolv.c
@@ -36,7 +36,7 @@ typedef struct resolv_item resolv_item;
 struct resolv_item {
 	int          family;
 	int          passive;
-	const char * name;
+	char *       name;
 	int          proto;
 	int          socktype;
 	uint16_t     port;
@@ -60,6 +60,7 @@ resolv_cancel(nni_aio *aio, void *arg, int rv)
 		// so we can just discard everything.
 		nni_aio_list_remove(aio);
 		nni_mtx_unlock(&resolv_mtx);
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 	} else {
 		// Resolver still working, so just unlink our AIO to
@@ -225,9 +226,16 @@ resolv_ip(const char *host, const char *serv, int passive, int family,
 		nni_aio_finish_error(aio, NNG_ENOMEM);
 		return;
 	}
+	if (host == NULL) {
+		item->name = NULL;
+	} else if ((item->name = nni_strdup(host)) == NULL) {
+		nni_aio_finish_error(aio, NNG_ENOMEM);
+		NNI_FREE_STRUCT(item);
+		return;
+	}
+
 	memset(&item->sa, 0, sizeof(item->sa));
 	item->passive  = passive;
-	item->name     = host;
 	item->proto    = proto;
 	item->aio      = aio;
 	item->family   = fam;
@@ -243,6 +251,7 @@ resolv_ip(const char *host, const char *serv, int passive, int family,
 	}
 	if (rv != 0) {
 		nni_mtx_unlock(&resolv_mtx);
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 		nni_aio_finish_error(aio, rv);
 		return;
@@ -301,6 +310,7 @@ resolv_worker(void *notused)
 
 			nni_aio_finish(aio, rv, 0);
 		}
+		nni_strfree(item->name);
 		NNI_FREE_STRUCT(item);
 	}
 	nni_mtx_unlock(&resolv_mtx);
diff --git a/src/supplemental/tcp/tcp.c b/src/supplemental/tcp/tcp.c
index 78a6d7e0..02a3351f 100644
--- a/src/supplemental/tcp/tcp.c
+++ b/src/supplemental/tcp/tcp.c
@@ -159,11 +159,11 @@ tcp_dialer_free(void *arg)
 		nni_tcp_dialer_close(d->d);
 		nni_tcp_dialer_fini(d->d);
 	}
-	nni_strfree(d->host);
-	nni_strfree(d->port);
 	nni_aio_fini(d->resaio);
 	nni_aio_fini(d->conaio);
 	nni_mtx_fini(&d->mtx);
+	nni_strfree(d->host);
+	nni_strfree(d->port);
 	NNI_FREE_STRUCT(d);
 }