From 70297880a38c5025c6699c0dc10730b79f2f9554 Mon Sep 17 00:00:00 2001 From: bcook <> Date: Tue, 13 Jan 2015 02:28:56 +0000 Subject: [PATCH] fix some memory leaks in dns handling. - Nothing seems to free the result of host_dns(), so add host_dns_free() and call after each query. - If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the freed buf in imsg_close(). ok millert@ deraadt@ --- src/usr.sbin/ntpd/config.c | 13 ++++++++++++- src/usr.sbin/ntpd/ntp_dns.c | 23 +++++++++++++++-------- src/usr.sbin/ntpd/ntpd.c | 23 +++++++++++++++-------- src/usr.sbin/ntpd/ntpd.h | 3 ++- 4 files changed, 44 insertions(+), 18 deletions(-) diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c index e0efb24e..d493a9c3 100644 --- a/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.22 2015/01/10 13:47:05 tedu Exp $ */ +/* $OpenBSD: config.c,v 1.23 2015/01/13 02:28:56 bcook Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -109,6 +109,17 @@ host_v6(const char *s) return (h); } +void +host_dns_free(struct ntp_addr *hn) +{ + struct ntp_addr *h = hn, *tmp; + while (h) { + tmp = h; + h = h->next; + free(tmp); + } +} + int host_dns(const char *s, struct ntp_addr **hn) { diff --git a/src/usr.sbin/ntpd/ntp_dns.c b/src/usr.sbin/ntpd/ntp_dns.c index e3eeb12c..451b3589 100644 --- a/src/usr.sbin/ntpd/ntp_dns.c +++ b/src/usr.sbin/ntpd/ntp_dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntp_dns.c,v 1.6 2015/01/09 07:35:37 deraadt Exp $ */ +/* $OpenBSD: ntp_dns.c,v 1.7 2015/01/13 02:28:56 bcook Exp $ */ /* * Copyright (c) 2003-2008 Henning Brauer @@ -159,13 +159,20 @@ dns_dispatch_imsg(void) buf = imsg_create(ibuf_dns, IMSG_HOST_DNS, imsg.hdr.peerid, 0, cnt * sizeof(struct sockaddr_storage)); - if (buf == NULL) - break; - if (cnt > 0) - for (h = hn; h != NULL; h = h->next) - imsg_add(buf, &h->ss, sizeof(h->ss)); - - imsg_close(ibuf_dns, buf); + if (cnt > 0) { + if (buf) { + for (h = hn; h != NULL; h = h->next) + if (imsg_add(buf, &h->ss, + sizeof(h->ss)) == -1) { + buf = NULL; + break; + } + if (buf) + imsg_close(ibuf_dns, buf); + } + host_dns_free(hn); + hn = NULL; + } break; default: break; diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c index bfc73f97..fae5c7a9 100644 --- a/src/usr.sbin/ntpd/ntpd.c +++ b/src/usr.sbin/ntpd/ntpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.c,v 1.83 2015/01/09 07:35:37 deraadt Exp $ */ +/* $OpenBSD: ntpd.c,v 1.84 2015/01/13 02:28:56 bcook Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -358,13 +358,20 @@ dispatch_imsg(struct ntpd_conf *lconf) buf = imsg_create(ibuf, IMSG_HOST_DNS, imsg.hdr.peerid, 0, cnt * sizeof(struct sockaddr_storage)); - if (buf == NULL) - break; - if (cnt > 0) - for (h = hn; h != NULL; h = h->next) - imsg_add(buf, &h->ss, sizeof(h->ss)); - - imsg_close(ibuf, buf); + if (cnt > 0) { + if (buf) { + for (h = hn; h != NULL; h = h->next) + if (imsg_add(buf, &h->ss, + sizeof(h->ss)) == -1) { + buf = NULL; + break; + } + if (buf) + imsg_close(ibuf, buf); + } + host_dns_free(hn); + hn = NULL; + } break; default: break; diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h index 2cdaf8bf..44f91780 100644 --- a/src/usr.sbin/ntpd/ntpd.h +++ b/src/usr.sbin/ntpd/ntpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.h,v 1.116 2015/01/10 13:47:05 tedu Exp $ */ +/* $OpenBSD: ntpd.h,v 1.117 2015/01/13 02:28:56 bcook Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -281,6 +281,7 @@ int parse_config(const char *, struct ntpd_conf *); /* config.c */ void host(const char *, struct ntp_addr **); int host_dns(const char *, struct ntp_addr **); +void host_dns_free(struct ntp_addr *); struct ntp_peer *new_peer(void); struct ntp_conf_sensor *new_sensor(char *);