+2014-02-13 Andreas Schwab <schwab@suse.de>
+
+ [BZ #16574]
+ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Free the
+ second answer buffer if it was separately allocated.
+
2014-05-12 Andreas Schwab <schwab@suse.de>
[BZ #16932]
* The following bugs are resolved with this release:
- 16545, 16623, 16882, 16885, 16916, 16932, 16943, 16958, 17048.
+ 16545, 16574, 16623, 16882, 16885, 16916, 16932, 16943, 16958, 17048.
* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
copy the path argument. This allowed programs to cause posix_spawn to
name = cp;
}
+ int anslen = 2048;
union
{
querybuf *buf;
u_char *ptr;
} host_buffer;
querybuf *orig_host_buffer;
- host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);
+ host_buffer.buf = orig_host_buffer = (querybuf *) alloca (anslen);
u_char *ans2p = NULL;
int nans2p = 0;
int resplen2 = 0;
int olderr = errno;
enum nss_status status;
int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
- host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ host_buffer.buf->buf, anslen, &host_buffer.ptr,
&ans2p, &nans2p, &resplen2);
if (n < 0)
{
resplen2, name, pat, buffer, buflen,
errnop, herrnop, ttlp);
+ /* Check whether ans2p was separately allocated. */
+ if (host_buffer.buf != orig_host_buffer)
+ anslen = MAXPACKET;
+ if (ans2p != NULL
+ && (ans2p < host_buffer.ptr || ans2p >= host_buffer.ptr + anslen))
+ free (ans2p);
+
if (host_buffer.buf != orig_host_buffer)
free (host_buffer.buf);
projects / thirdparty / glibc.git / commitdiff
