mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
4110. [bug] Address memory leaks / null pointer dereferences
on out of memory. [RT #39310]
This commit is contained in:
Mark Andrews
3
CHANGES
3
CHANGES
@@ -1,3 +1,6 @@
|
||||
4110. [bug] Address memory leaks / null pointer dereferences
|
||||
on out of memory. [RT #39310]
|
||||
|
||||
4109. [port] linux: support reading the local port range from
|
||||
net.ipv4.ip_local_port_range. [RT # 39379]
|
||||
|
||||
|
||||
@@ -933,6 +933,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
|
||||
if (lookold->ecs_addr != NULL) {
|
||||
size_t len = sizeof(isc_sockaddr_t);
|
||||
looknew->ecs_addr = isc_mem_allocate(mctx, len);
|
||||
if (looknew->ecs_addr == NULL)
|
||||
fatal("out of memory");
|
||||
memmove(looknew->ecs_addr, lookold->ecs_addr, len);
|
||||
}
|
||||
|
||||
@@ -1086,6 +1088,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
|
||||
}
|
||||
|
||||
sa = isc_mem_allocate(mctx, sizeof(*sa));
|
||||
if (sa == NULL)
|
||||
fatal("out of memory");
|
||||
if (inet_pton(AF_INET6, value, &in6) == 1) {
|
||||
isc_sockaddr_fromin6(sa, &in6, 0);
|
||||
parsed = ISC_TRUE;
|
||||
|
||||
@@ -465,10 +465,6 @@ ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
|
||||
}
|
||||
|
||||
if (dscpsp != NULL) {
|
||||
dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t));
|
||||
if (dscps == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
|
||||
dscpobj = cfg_tuple_get(list, "dscp");
|
||||
if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) {
|
||||
if (cfg_obj_asuint32(dscpobj) > 63) {
|
||||
@@ -479,11 +475,18 @@ ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
|
||||
}
|
||||
dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
|
||||
}
|
||||
|
||||
dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t));
|
||||
if (dscps == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
|
||||
addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
|
||||
if (addrs == NULL)
|
||||
if (addrs == NULL) {
|
||||
if (dscps != NULL)
|
||||
isc_mem_put(mctx, dscps, count * sizeof(isc_dscp_t));
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
|
||||
for (element = cfg_list_first(addrlist);
|
||||
element != NULL;
|
||||
@@ -622,7 +625,8 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
|
||||
cfg_obj_log(dscpobj, ns_g_lctx, ISC_LOG_ERROR,
|
||||
"dscp value '%u' is out of range",
|
||||
cfg_obj_asuint32(dscpobj));
|
||||
return (ISC_R_RANGE);
|
||||
result = ISC_R_RANGE;
|
||||
goto cleanup;
|
||||
}
|
||||
dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
|
||||
}
|
||||
|
||||
@@ -266,8 +266,10 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
|
||||
dns_fixedname_init(&forigin);
|
||||
origin = dns_fixedname_name(&forigin);
|
||||
result = dns_name_fromtext(origin, &source, dns_rootname, 0, NULL);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_mem_put(mctx, dbi, sizeof(*dbi));
|
||||
return (result);
|
||||
}
|
||||
|
||||
result = dns_db_create(mctx, dbtype, origin,
|
||||
cache ? dns_dbtype_cache : dns_dbtype_zone,
|
||||
|
||||
@@ -61,7 +61,8 @@ my_send(isc_task_t *task, isc_event_t *event) {
|
||||
isc_task_shutdown(task);
|
||||
}
|
||||
|
||||
isc_mem_put(mctx, dev->region.base, dev->region.length);
|
||||
if (dev->region.base != NULL)
|
||||
isc_mem_put(mctx, dev->region.base, dev->region.length);
|
||||
|
||||
isc_event_free(&event);
|
||||
}
|
||||
@@ -96,8 +97,8 @@ my_recv(isc_task_t *task, isc_event_t *event) {
|
||||
if (dev->result != ISC_R_SUCCESS) {
|
||||
isc_socket_detach(&sock);
|
||||
|
||||
isc_mem_put(mctx, dev->region.base,
|
||||
dev->region.length);
|
||||
if (dev->region.base != NULL)
|
||||
isc_mem_put(mctx, dev->region.base, dev->region.length);
|
||||
isc_event_free(&event);
|
||||
|
||||
isc_task_shutdown(task);
|
||||
@@ -112,8 +113,11 @@ my_recv(isc_task_t *task, isc_event_t *event) {
|
||||
sprintf(buf, "\r\nReceived: %.*s\r\n\r\n",
|
||||
(int)dev->n, (char *)region.base);
|
||||
region.base = isc_mem_get(mctx, strlen(buf) + 1);
|
||||
region.length = strlen(buf) + 1;
|
||||
strcpy((char *)region.base, buf); /* strcpy is safe */
|
||||
if (region.base != NULL) {
|
||||
region.length = strlen(buf) + 1;
|
||||
strcpy((char *)region.base, buf); /* strcpy is safe */
|
||||
} else
|
||||
region.length = 0;
|
||||
isc_socket_send(sock, ®ion, task, my_send, event->ev_arg);
|
||||
} else {
|
||||
region = dev->region;
|
||||
@@ -143,6 +147,8 @@ my_http_get(isc_task_t *task, isc_event_t *event) {
|
||||
if (dev->result != ISC_R_SUCCESS) {
|
||||
isc_socket_detach(&sock);
|
||||
isc_task_shutdown(task);
|
||||
if (dev->region.base != NULL)
|
||||
isc_mem_put(mctx, dev->region.base, dev->region.length);
|
||||
isc_event_free(&event);
|
||||
return;
|
||||
}
|
||||
@@ -179,8 +185,11 @@ my_connect(isc_task_t *task, isc_event_t *event) {
|
||||
strcpy(buf, "GET / HTTP/1.1\r\nHost: www.flame.org\r\n"
|
||||
"Connection: Close\r\n\r\n");
|
||||
region.base = isc_mem_get(mctx, strlen(buf) + 1);
|
||||
region.length = strlen(buf) + 1;
|
||||
strcpy((char *)region.base, buf); /* This strcpy is safe. */
|
||||
if (region.base != NULL) {
|
||||
region.length = strlen(buf) + 1;
|
||||
strcpy((char *)region.base, buf); /* This strcpy is safe. */
|
||||
} else
|
||||
region.length = 0;
|
||||
|
||||
isc_socket_send(sock, ®ion, task, my_http_get, event->ev_arg);
|
||||
|
||||
|
||||
@@ -908,6 +908,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
|
||||
}
|
||||
|
||||
sa = isc_mem_allocate(mctx, sizeof(*sa));
|
||||
if (sa == NULL)
|
||||
fatal("out of memory");
|
||||
if (inet_pton(AF_INET6, value, &in6) == 1) {
|
||||
isc_sockaddr_fromin6(sa, &in6, 0);
|
||||
parsed = ISC_TRUE;
|
||||
|
||||
@@ -1167,6 +1167,7 @@ dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
|
||||
* Returns:
|
||||
*
|
||||
*\li ISC_R_SUCCESS
|
||||
*\li ISC_R_NOMEMORY
|
||||
*
|
||||
*\li Any error that dns_name_totext() can return.
|
||||
*/
|
||||
|
||||
@@ -2428,6 +2428,8 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
|
||||
|
||||
isc_buffer_usedregion(&buf, ®);
|
||||
p = isc_mem_allocate(mctx, reg.length + 1);
|
||||
if (p == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
memmove(p, (char *) reg.base, (int) reg.length);
|
||||
p[reg.length] = '\0';
|
||||
|
||||
|
||||
@@ -166,6 +166,7 @@ test_context_setup(void) {
|
||||
size_t i;
|
||||
|
||||
ctx = isc_mem_get(mctx, sizeof(*ctx));
|
||||
ATF_REQUIRE(ctx != NULL);
|
||||
|
||||
ctx->rbt = NULL;
|
||||
result = dns_rbt_create(mctx, delete_data, NULL, &ctx->rbt);
|
||||
@@ -1134,6 +1135,8 @@ insert_nodes(dns_rbt_t *mytree, char **names,
|
||||
char namebuf[34];
|
||||
|
||||
n = isc_mem_get(mctx, sizeof(size_t));
|
||||
ATF_REQUIRE(n != NULL);
|
||||
|
||||
*n = i; /* Unused value */
|
||||
|
||||
while (1) {
|
||||
|
||||
@@ -49,7 +49,14 @@ typedef void (*isc_memfree_t)(void *, void *);
|
||||
/*%
|
||||
* Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
|
||||
* the requested space. This will increase the size of each allocation.
|
||||
*
|
||||
* If we are performing a Coverity static analysis then ISC_MEM_CHECKOVERRUN
|
||||
* can hide bugs that would otherwise discovered so force to zero.
|
||||
*/
|
||||
#ifdef __COVERITY__
|
||||
#undef ISC_MEM_CHECKOVERRUN
|
||||
#define ISC_MEM_CHECKOVERRUN 0
|
||||
#endif
|
||||
#ifndef ISC_MEM_CHECKOVERRUN
|
||||
#define ISC_MEM_CHECKOVERRUN 1
|
||||
#endif
|
||||
@@ -59,7 +66,14 @@ typedef void (*isc_memfree_t)(void *, void *);
|
||||
* with the byte string '0xbe'. This helps track down uninitialized pointers
|
||||
* and the like. On freeing memory, the space is filled with '0xde' for
|
||||
* the same reasons.
|
||||
*
|
||||
* If we are performing a Coverity static analysis then ISC_MEM_FILL
|
||||
* can hide bugs that would otherwise discovered so force to zero.
|
||||
*/
|
||||
#ifdef __COVERITY__
|
||||
#undef ISC_MEM_FILL
|
||||
#define ISC_MEM_FILL 0
|
||||
#endif
|
||||
#ifndef ISC_MEM_FILL
|
||||
#define ISC_MEM_FILL 1
|
||||
#endif
|
||||
|
||||
@@ -371,7 +371,7 @@ monobit(isc_mem_t *mctx, isc_uint16_t *values, size_t length) {
|
||||
/* Debug message, not displayed when running via atf-run */
|
||||
printf("numbits=%u, scount=%d\n", numbits, scount);
|
||||
|
||||
s_obs = fabs(scount) / sqrt(numbits);
|
||||
s_obs = abs(scount) / sqrt(numbits);
|
||||
p_value = erfc(s_obs / sqrt(2.0));
|
||||
|
||||
return (p_value);
|
||||
@@ -484,6 +484,7 @@ blockfrequency(isc_mem_t *mctx, isc_uint16_t *values, size_t length) {
|
||||
ATF_REQUIRE(numbits >= (mbits * numblocks));
|
||||
|
||||
pi = isc_mem_get(mctx, numblocks * sizeof(double));
|
||||
ATF_REQUIRE(pi != NULL);
|
||||
|
||||
cur_word = 0;
|
||||
for (i = 0; i < numblocks; i++) {
|
||||
|
||||
@@ -1476,10 +1476,11 @@ parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *
|
||||
CHECK(cfg_parse_obj(pctx, nametype, &idobj));
|
||||
CHECK(cfg_parse_map(pctx, type, &mapobj));
|
||||
mapobj->value.map.id = idobj;
|
||||
idobj = NULL;
|
||||
*ret = mapobj;
|
||||
return (result);
|
||||
cleanup:
|
||||
CLEANUP_OBJ(idobj);
|
||||
CLEANUP_OBJ(mapobj);
|
||||
return (result);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user