fix some memory leaks in dns handling.

- Nothing seems to free the result of host_dns(), so add host_dns_free() and call after each query. - If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the freed buf in imsg_close(). ok millert@ deraadt@
10 years ago · 70297880a3
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: config.c,v 1.22 2015/01/10 13:47:05 tedu Exp $ */
 /*	$OpenBSD: config.c,v 1.23 2015/01/13 02:28:56 bcook Exp $ */
 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -109,6 +109,17 @@ host_v6(const char *s)
 	return (h);
 }
 void
 host_dns_free(struct ntp_addr *hn)
 {
 	struct ntp_addr	*h = hn, *tmp;
 	while (h) {
 		tmp = h;
 		h = h->next;
 		free(tmp);
 	}
 }
 int
 host_dns(const char *s, struct ntp_addr **hn)
 {
--- a/src/usr.sbin/ntpd/ntp_dns.c
+++ b/src/usr.sbin/ntpd/ntp_dns.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntp_dns.c,v 1.6 2015/01/09 07:35:37 deraadt Exp $ */
 /*	$OpenBSD: ntp_dns.c,v 1.7 2015/01/13 02:28:56 bcook Exp $ */
 /*
 * Copyright (c) 2003-2008 Henning Brauer <henning@openbsd.org>
@ -159,13 +159,20 @@ dns_dispatch_imsg(void)
 			buf = imsg_create(ibuf_dns, IMSG_HOST_DNS,
 			    imsg.hdr.peerid, 0,
 			    cnt * sizeof(struct sockaddr_storage));
 			if (buf == NULL)
 				break;
 			if (cnt > 0)
 				for (h = hn; h != NULL; h = h->next)
 					imsg_add(buf, &h->ss, sizeof(h->ss));
 			imsg_close(ibuf_dns, buf);
 			if (cnt > 0) {
 				if (buf) {
 					for (h = hn; h != NULL; h = h->next)
 						if (imsg_add(buf, &h->ss,
 						    sizeof(h->ss)) == -1) {
 							buf = NULL;
 							break;
 						}
 					if (buf)
 						imsg_close(ibuf_dns, buf);
 				}
 				host_dns_free(hn);
 				hn = NULL;
 			}
 			break;
 		default:
 			break;
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntpd.c,v 1.83 2015/01/09 07:35:37 deraadt Exp $ */
 /*	$OpenBSD: ntpd.c,v 1.84 2015/01/13 02:28:56 bcook Exp $ */
 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -358,13 +358,20 @@ dispatch_imsg(struct ntpd_conf *lconf)
 			buf = imsg_create(ibuf, IMSG_HOST_DNS,
 			    imsg.hdr.peerid, 0,
 			    cnt * sizeof(struct sockaddr_storage));
 			if (buf == NULL)
 				break;
 			if (cnt > 0)
 				for (h = hn; h != NULL; h = h->next)
 					imsg_add(buf, &h->ss, sizeof(h->ss));
 			imsg_close(ibuf, buf);
 			if (cnt > 0) {
 				if (buf) {
 					for (h = hn; h != NULL; h = h->next)
 						if (imsg_add(buf, &h->ss,
 						    sizeof(h->ss)) == -1) {
 							buf = NULL;
 							break;
 						}
 					if (buf)
 						imsg_close(ibuf, buf);
 				}
 				host_dns_free(hn);
 				hn = NULL;
 			}
 			break;
 		default:
 			break;
--- a/src/usr.sbin/ntpd/ntpd.h
+++ b/src/usr.sbin/ntpd/ntpd.h
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntpd.h,v 1.116 2015/01/10 13:47:05 tedu Exp $ */
 /*	$OpenBSD: ntpd.h,v 1.117 2015/01/13 02:28:56 bcook Exp $ */
 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -281,6 +281,7 @@ int	 parse_config(const char *, struct ntpd_conf *);
 /* config.c */
 void			 host(const char *, struct ntp_addr **);
 int			 host_dns(const char *, struct ntp_addr **);
 void			 host_dns_free(struct ntp_addr *);
 struct ntp_peer		*new_peer(void);
 struct ntp_conf_sensor	*new_sensor(char *);