From 5d50ed963d992cc9f3fae757242df2654bdc4ca1 Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Mon, 30 Dec 2019 15:25:51 -0800 Subject: fixes #1079 Use after free panic in tcp_dialer --- src/platform/posix/posix_resolv_gai.c | 18 +++++++++++++++--- src/platform/windows/win_resolv.c | 14 ++++++++++++-- 2 files changed, 27 insertions(+), 5 deletions(-) (limited to 'src/platform') diff --git a/src/platform/posix/posix_resolv_gai.c b/src/platform/posix/posix_resolv_gai.c index 4bf9d2ec..4b03a95e 100644 --- a/src/platform/posix/posix_resolv_gai.c +++ b/src/platform/posix/posix_resolv_gai.c @@ -42,7 +42,7 @@ typedef struct resolv_item resolv_item; struct resolv_item { int family; int passive; - const char * name; + char * name; int proto; int socktype; uint16_t port; @@ -67,6 +67,7 @@ resolv_cancel(nni_aio *aio, void *arg, int rv) // so we can just discard everything. nni_aio_list_remove(aio); nni_mtx_unlock(&resolv_mtx); + nni_strfree(item->name); NNI_FREE_STRUCT(item); } else { // This case indicates the resolver is still processing our @@ -253,9 +254,18 @@ resolv_ip(const char *host, const char *serv, int passive, int family, return; } - // NB: host and serv must remain valid until this is completed. + // NB: must remain valid until this is completed. So we have to + // make our own copy. + + if (host == NULL) { + item->name = NULL; + } else if ((item->name = nni_strdup(host)) == NULL) { + NNI_FREE_STRUCT(item); + nni_aio_finish_error(aio, NNG_ENOMEM); + return; + } + memset(&item->sa, 0, sizeof(item->sa)); - item->name = host; item->proto = proto; item->aio = aio; item->family = fam; @@ -272,6 +282,7 @@ resolv_ip(const char *host, const char *serv, int passive, int family, } if (rv != 0) { nni_mtx_unlock(&resolv_mtx); + nni_strfree(item->name); NNI_FREE_STRUCT(item); nni_aio_finish_error(aio, rv); return; @@ -332,6 +343,7 @@ resolv_worker(void *unused) nni_aio_set_sockaddr(aio, &item->sa); nni_aio_finish(aio, rv, 0); } + nni_strfree(item->name); NNI_FREE_STRUCT(item); } nni_mtx_unlock(&resolv_mtx); diff --git a/src/platform/windows/win_resolv.c b/src/platform/windows/win_resolv.c index 745f03d1..ff356700 100644 --- a/src/platform/windows/win_resolv.c +++ b/src/platform/windows/win_resolv.c @@ -36,7 +36,7 @@ typedef struct resolv_item resolv_item; struct resolv_item { int family; int passive; - const char * name; + char * name; int proto; int socktype; uint16_t port; @@ -60,6 +60,7 @@ resolv_cancel(nni_aio *aio, void *arg, int rv) // so we can just discard everything. nni_aio_list_remove(aio); nni_mtx_unlock(&resolv_mtx); + nni_strfree(item->name); NNI_FREE_STRUCT(item); } else { // Resolver still working, so just unlink our AIO to @@ -225,9 +226,16 @@ resolv_ip(const char *host, const char *serv, int passive, int family, nni_aio_finish_error(aio, NNG_ENOMEM); return; } + if (host == NULL) { + item->name = NULL; + } else if ((item->name = nni_strdup(host)) == NULL) { + nni_aio_finish_error(aio, NNG_ENOMEM); + NNI_FREE_STRUCT(item); + return; + } + memset(&item->sa, 0, sizeof(item->sa)); item->passive = passive; - item->name = host; item->proto = proto; item->aio = aio; item->family = fam; @@ -243,6 +251,7 @@ resolv_ip(const char *host, const char *serv, int passive, int family, } if (rv != 0) { nni_mtx_unlock(&resolv_mtx); + nni_strfree(item->name); NNI_FREE_STRUCT(item); nni_aio_finish_error(aio, rv); return; @@ -301,6 +310,7 @@ resolv_worker(void *notused) nni_aio_finish(aio, rv, 0); } + nni_strfree(item->name); NNI_FREE_STRUCT(item); } nni_mtx_unlock(&resolv_mtx); -- cgit v1.2.3-70-g09d2