Avoid freeing an uninitialised pointer in get_interface_addresses_ioctl

diff --git a/changes/bug18454 b/changes/bug18454
new file mode 100644 (file)
index 0000000..c573dae
--- /dev/null
+++ b/changes/bug18454
@@ -0,0 +1,8 @@
+  o Minor bugfixes (memory safety):
+    - Avoid freeing an uninitialised pointer when opening a socket fails
+      in get_interface_addresses_ioctl.
+      Fixes bug 18454; bugfix on 9f06ec0c in tor-0.2.3.11-alpha.
+      Reported by "toralf" and "cypherpunks", patch by "teor".
+    - Correctly duplicate addresses in get_interface_address6_list.
+      Fixes bug 18454; bugfix on 110765f5 in tor-0.2.8.1-alpha.
+      Reported by "toralf", patch by "cypherpunks".

diff --git a/src/common/address.c b/src/common/address.c
index 8f1ce9dab77a87886e7f2fe7fb8018486a0efcc4..c77b0f3c943a6cfd746155cd5826fb9872bb01e5 100644 (file)
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -1525,6 +1525,7 @@ get_interface_addresses_ioctl(int severity, sa_family_t family)
 {
   /* Some older unixy systems make us use ioctl(SIOCGIFCONF) */
   struct ifconf ifc;
+  ifc.ifc_buf = NULL;
   int fd;
   smartlist_t *result = NULL;
 
@@ -1547,7 +1548,6 @@ get_interface_addresses_ioctl(int severity, sa_family_t family)
   }
 
   int mult = 1;
-  ifc.ifc_buf = NULL;
   do {
     mult *= 2;
     ifc.ifc_len = mult * IFREQ_SIZE;