[master] fixed memory leak in dns_compress_add()

4184. [bug] Fixed a possible memory leak in name compression when rendering long messages. (Also, improved wire_test for testing such messages.) [RT #40375]
2025-09-03 16:15:27 +00:00 · 2015-08-17 22:41:44 -07:00
parent 47d459ef43
commit b750a49f3f
3 changed files with 84 additions and 49 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
 4184.	[bug]		Fixed a possible memory leak in name compression
 			when rendering long messages. (Also, improved
 			wire_test for testing such messages.) [RT #40375]
 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 			code. Also, the timing-safe comparison functions have
 			been renamed to avoid possible confusion with
--- a/bin/tests/wire_test.c
+++ b/bin/tests/wire_test.c
@@ -21,6 +21,7 @@
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/string.h>
@@ -30,7 +31,7 @@
 #include <dns/result.h>
 int parseflags = 0;
-isc_mem_t *mctx;
+isc_mem_t *mctx = NULL;
 isc_boolean_t printmemstats = ISC_FALSE;
 isc_boolean_t dorender = ISC_FALSE;
@@ -65,7 +66,9 @@ fromhex(char c) {
 static void
 usage(void) {
-	fprintf(stderr, "wire_test [-b] [-d] [-p] [-r] [-s] [filename]\n");
+	fprintf(stderr, "wire_test [-b] [-d] [-p] [-r] [-s]\n");
 	fprintf(stderr, "          [-m {usage|trace|record|size|mctx}]\n");
 	fprintf(stderr, "          [filename]\n\n");
 	fprintf(stderr, "\t-b\tBest-effort parsing (ignore some errors)\n");
 	fprintf(stderr, "\t-d\tRead input as raw binary data\n");
 	fprintf(stderr, "\t-p\tPreserve order of the records in messages\n");
@@ -106,23 +109,42 @@ printmessage(dns_message_t *msg) {
 int
 main(int argc, char *argv[]) {
-	char *rp, *wp;
+	isc_buffer_t *input = NULL;
 	unsigned char *bp;
 	isc_buffer_t source;
 	size_t len, i;
 	int n;
 	FILE *f;
 	isc_boolean_t need_close = ISC_FALSE;
 	unsigned char b[64 * 1024];
 	char s[4000];
 	isc_boolean_t tcp = ISC_FALSE;
 	isc_boolean_t rawdata = ISC_FALSE;
 	isc_result_t result;
 	isc_uint8_t c;
 	FILE *f;
 	int ch;
-	mctx = NULL;
+#define CMDLINE_FLAGS "bdm:prst"
 	/*
 	 * Process memory debugging argument first.
 	 */
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
 			if (strcasecmp(isc_commandline_argument, "record") == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
 			if (strcasecmp(isc_commandline_argument, "trace") == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
 			if (strcasecmp(isc_commandline_argument, "usage") == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
 			if (strcasecmp(isc_commandline_argument, "size") == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
 			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
 			break;
 		default:
 			break;
 		}
 	}
 	isc_commandline_reset = ISC_TRUE;
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	while ((ch = isc_commandline_parse(argc, argv, "bdprst")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 			case 'b':
 				parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
@@ -130,6 +152,8 @@ main(int argc, char *argv[]) {
 			case 'd':
 				rawdata = ISC_TRUE;
 				break;
 			case 'm':
 				break;
 			case 'p':
 				parseflags |= DNS_MESSAGEPARSE_PRESERVEORDER;
 				break;
@@ -161,15 +185,21 @@ main(int argc, char *argv[]) {
 	} else
 		f = stdin;
-	bp = b;
+	isc_buffer_allocate(mctx, &input, 64 * 1024);
 	if (rawdata) {
-		while (fread(bp, 1, 1, f) != 0)
+		while (fread(&c, 1, 1, f) != 0) {
-			bp++;
+			result = isc_buffer_reserve(&input, 1);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			isc_buffer_putuint8(input, (isc_uint8_t) c);
 		}
 	} else {
 		char s[BUFSIZ];
 		while (fgets(s, sizeof(s), f) != NULL) {
-			rp = s;
+			char *rp = s, *wp = s;
-			wp = s;
+			size_t i, len = 0;
-			len = 0;
+
 			while (*rp != '\0') {
 				if (*rp == '#')
 					break;
@@ -187,16 +217,15 @@ main(int argc, char *argv[]) {
 				       (unsigned long)len);
 				exit(1);
 			}
-			if (len > sizeof(b) * 2) {
+
 				fprintf(stderr, "input too long\n");
 				exit(2);
 			}
 			rp = s;
 			for (i = 0; i < len; i += 2) {
-				n = fromhex(*rp++);
+				c = fromhex(*rp++);
-				n *= 16;
+				c *= 16;
-				n += fromhex(*rp++);
+				c += fromhex(*rp++);
-				*bp++ = n;
+				result = isc_buffer_reserve(&input, 1);
 				RUNTIME_CHECK(result == ISC_R_SUCCESS);
 				isc_buffer_putuint8(input, (isc_uint8_t) c);
 			}
 		}
 	}
@@ -205,30 +234,26 @@ main(int argc, char *argv[]) {
 		fclose(f);
 	if (tcp) {
-		unsigned char *p = b;
+		while (isc_buffer_remaininglength(input) != 0) {
 		while (p < bp) {
 			unsigned int tcplen;
-			if (p + 2 > bp) {
+			if (isc_buffer_remaininglength(input) < 2) {
 				fprintf(stderr, "premature end of packet\n");
 				exit(1);
 			}
-			tcplen = p[0] << 8 | p[1];
+			tcplen = isc_buffer_getuint16(input);
-			if (p + 2 + tcplen > bp) {
+			if (isc_buffer_remaininglength(input) < tcplen) {
 				fprintf(stderr, "premature end of packet\n");
 				exit(1);
 			}
-			isc_buffer_init(&source, p + 2, tcplen);
+			process_message(input);
 			isc_buffer_add(&source, tcplen);
 			process_message(&source);
 			p += 2 + tcplen;
 		}
-	} else {
+	} else
-		isc_buffer_init(&source, b, sizeof(b));
+		process_message(input);
-		isc_buffer_add(&source, bp - b);
+
-		process_message(&source);
+	if (input != NULL)
-	}
+		isc_buffer_free(&input);
 	if (printmemstats)
 		isc_mem_stats(mctx, stdout);
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -214,7 +214,7 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
 	REQUIRE(VALID_CCTX(cctx));
 	REQUIRE(dns_name_isabsolute(name));
-	if (offset > 0x4000)
+	if (offset >= 0x4000)
 		return;
 	dns_name_init(&tname, NULL);
 	dns_name_init(&xname, NULL);
@@ -231,18 +231,21 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
 	tmp = isc_mem_get(cctx->mctx, length);
 	if (tmp == NULL)
 		return;
 	/*
 	 * Copy name data to 'tmp' and make 'r' use 'tmp'.
 	 */
 	memmove(tmp, r.base, r.length);
 	r.base = tmp;
 	dns_name_fromregion(&xname, &r);
 	while (count > 0) {
 		if (offset >= 0x4000)
 			break;
 		dns_name_getlabelsequence(&xname, start, n, &tname);
 		hash = dns_name_hash(&tname, ISC_FALSE) %
 		       DNS_COMPRESS_TABLESIZE;
 		tlength = name_length(&tname);
 		toffset = (isc_uint16_t)(offset + (length - tlength));
 		if (toffset >= 0x4000)
 			break;
 		/*
 		 * Create a new node and add it.
 		 */
@@ -251,14 +254,14 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
 		else {
 			node = isc_mem_get(cctx->mctx,
 					   sizeof(dns_compressnode_t));
-			if (node == NULL) {
+			if (node == NULL)
-				if (start == 0)
+				break;
 					isc_mem_put(cctx->mctx,
 						    r.base, r.length);
 				return;
 			}
 		}
 		node->count = cctx->count++;
 		/*
 		 * 'node->r.base' becomes 'tmp' when start == 0.
 		 * Record this by setting 0x8000 so it can be freed later.
 		 */
 		if (start == 0)
 			toffset |= 0x8000;
 		node->offset = toffset;
@@ -270,6 +273,9 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
 		n--;
 		count--;
 	}
 	if (start == 0)
 		isc_mem_put(cctx->mctx, tmp, length);
 }
 void