|
 |
45d81b |
From f8ecb57dcb7ce41b572cb67e6d2554296a54e738 Mon Sep 17 00:00:00 2001
|
|
|
45d81b |
From: Carl Henrik Lunde <chlunde@ifi.uio.no>
|
|
|
45d81b |
Date: Thu, 1 Dec 2016 00:09:00 +0100
|
|
|
45d81b |
Subject: [PATCH 156/156] Prevent use after free in fd_input_available
|
|
|
45d81b |
|
|
|
45d81b |
When both TEVENT_FD_WRITE and TEVENT_FD_READ are set, and an error/EOF
|
|
|
45d81b |
occurs when reading from the socket, we will get a use after free
|
|
|
45d81b |
in the second call ares_process_fd. The first call will free the watch
|
|
|
45d81b |
structure via a callback.
|
|
|
45d81b |
|
|
|
45d81b |
Prevent this by calling ares_process_fd only once.
|
|
|
45d81b |
|
|
|
45d81b |
Invalid read of size 4
|
|
|
45d81b |
at fd_input_available (async_resolv.c:147)
|
|
|
45d81b |
by epoll_event_loop (tevent_epoll.c:728)
|
|
|
45d81b |
by epoll_event_loop_once (tevent_epoll.c:926)
|
|
|
45d81b |
by std_event_loop_once (tevent_standard.c:114)
|
|
|
45d81b |
by _tevent_loop_once (tevent.c:533)
|
|
|
45d81b |
by tevent_common_loop_wait (tevent.c:637)
|
|
|
45d81b |
by std_event_loop_wait (tevent_standard.c:140)
|
|
|
45d81b |
by server_loop (server.c:702)
|
|
|
45d81b |
by main (data_provider_be.c:587)
|
|
|
45d81b |
Address ... is 112 bytes inside a block of size 136 free'd
|
|
|
45d81b |
at free (vg_replace_malloc.c:530)
|
|
|
45d81b |
by _talloc_free_internal (talloc.c:1116)
|
|
|
45d81b |
by _talloc_free (talloc.c:1647)
|
|
|
45d81b |
by ares__close_sockets (ares__close_sockets.c:50)
|
|
|
45d81b |
by handle_error (ares_process.c:679)
|
|
|
45d81b |
by read_tcp_data (ares_process.c:391)
|
|
|
45d81b |
by processfds (ares_process.c:138)
|
|
|
45d81b |
by fd_input_available (async_resolv.c:144)
|
|
|
45d81b |
by epoll_event_loop (tevent_epoll.c:728)
|
|
|
45d81b |
by epoll_event_loop_once (tevent_epoll.c:926)
|
|
|
45d81b |
by std_event_loop_once (tevent_standard.c:114)
|
|
|
45d81b |
by _tevent_loop_once (tevent.c:533)
|
|
|
45d81b |
by tevent_common_loop_wait (tevent.c:637)
|
|
|
45d81b |
by std_event_loop_wait (tevent_standard.c:140)
|
|
|
45d81b |
by server_loop (server.c:702)
|
|
|
45d81b |
|
|
|
45d81b |
Resolves:
|
|
|
45d81b |
https://fedorahosted.org/sssd/ticket/3250
|
|
|
45d81b |
|
|
|
45d81b |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
45d81b |
(cherry picked from commit 9676b464dd428557ff5a648e1351a3972440396f)
|
|
|
45d81b |
---
|
|
|
45d81b |
src/resolv/async_resolv.c | 9 +++------
|
|
|
45d81b |
1 file changed, 3 insertions(+), 6 deletions(-)
|
|
|
45d81b |
|
|
|
45d81b |
diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c
|
|
|
45d81b |
index 58d5c6e550bb34cbaa50517323133fad4f900980..e29f679423eeccae1c8fb7af5fdafc69f051741a 100644
|
|
|
45d81b |
--- a/src/resolv/async_resolv.c
|
|
|
45d81b |
+++ b/src/resolv/async_resolv.c
|
|
|
45d81b |
@@ -140,12 +140,9 @@ fd_input_available(struct tevent_context *ev, struct tevent_fd *fde,
|
|
|
45d81b |
return;
|
|
|
45d81b |
}
|
|
|
45d81b |
|
|
|
45d81b |
- if (flags & TEVENT_FD_READ) {
|
|
|
45d81b |
- ares_process_fd(watch->ctx->channel, watch->fd, ARES_SOCKET_BAD);
|
|
|
45d81b |
- }
|
|
|
45d81b |
- if (flags & TEVENT_FD_WRITE) {
|
|
|
45d81b |
- ares_process_fd(watch->ctx->channel, ARES_SOCKET_BAD, watch->fd);
|
|
|
45d81b |
- }
|
|
|
45d81b |
+ ares_process_fd(watch->ctx->channel,
|
|
|
45d81b |
+ flags & TEVENT_FD_READ ? watch->fd : ARES_SOCKET_BAD,
|
|
|
45d81b |
+ flags & TEVENT_FD_WRITE ? watch->fd : ARES_SOCKET_BAD);
|
|
|
45d81b |
}
|
|
|
45d81b |
|
|
|
45d81b |
static void
|
|
|
45d81b |
--
|
|
|
45d81b |
2.9.3
|
|
|
45d81b |
|