use-after-free in open_socket_out

Carlos Carvalho carlos at fisica.ufpr.br
Wed Jul 13 13:23:44 MDT 2011 

Wayne Davison (wayned at samba.org) wrote on 12 July 2011 16:51:
 >On Tue, Jul 12, 2011 at 3:12 PM, Carlos Carvalho <carlos at fisica.ufpr.br> wrote:
 >
 >    The new feature is indeed very useful but something else is needed: print
 >    the IP of the server even when the connection is successful, and also print
 >    any IPs that were tried but didn't work.
 >
 >
 >Looks nice to me.  I tweaked it a bit and committed it.

Thanks. However, the call to inet_ntop in the failed connection
reporting is still there. I've now found that it's really wrong for
ipv6. The attached patch changes it to getnameinfo, like for the
successful connection. Sorry for not changing it completely the first
time and causing more work to you.

The reason inet_ntop is failing for v6 is that the size of the
components of the structures is not the same as in v4. We really have
to use the declared fields instead of passing shifted pointers, so the
code needs to be

    char *result == NULL;
    if (res->ai_family == AF_INET)
        result = inet_ntop(AF_INET, &(((struct sockaddr_in *)res->ai_addr)->sin_addr), buf, sizeof buf);
    else if (res->ai_family == AF_INET6)
        result = inet_ntop(AF_INET6, &(((struct sockaddr_in6 *)res->ai_addr)->sin6_addr), buf, sizeof buf);
     if (result == NULL) 
        rprintf(FINFO, "*inet_ntop failed*\n");
    else
        rprintf(FINFO, "failed to connect to %s (%s)\n", h, buf);

which is quite a mess compared to getnameinfo:

    if ((error = getnameinfo(res->ai_addr, res->ai_addrlen, buf, sizeof buf, NULL, 0, NI_NUMERICHOST) != 0))
        rprintf(FINFO, "error in getnameinfo: %s\n", gai_strerror(error));
    else
        rprintf(FINFO, "failed to connect to %s (%s)\n", h, buf);

Besides, the BUGS section of inet_ntop says that it's conversion to
printable form is not as complete as getnameinfo. Finally, getnameinfo
is already used before in the same function and in client_addr(). So
it's clear it's better to use it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-2
Type: application/octet-stream
Size: 717 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/rsync/attachments/20110713/7bbcef84/attachment.obj>

More information about the rsync mailing list