use-after-free in open_socket_out
Carlos Carvalho
carlos at fisica.ufpr.br
Mon Jul 11 18:39:58 MDT 2011
Since 3.0.8 (the same in 3.1) we have this around line 300 in socket.c:
break;
}
freeaddrinfo(res0);
if (s < 0) {
char buf[2048];
for (res = res0, j = 0; res; res = res->ai_next, j++) {
if (errnos[j] == 0)
continue;
if (inet_ntop(res->ai_family, res->ai_addr->sa_data + 2, buf, sizeof buf) == NULL)
strlcpy(buf, "*inet_ntop failed*", sizeof buf);
rsyserr(FERROR, errnos[j], "failed to connect to %s (%s)", h, buf);
}
s = -1;
}
res0 is freed but keeps its value so there's access to freed memory in
res->ai* in the call of inet_ntop if s < 0. This might explain why
we've got a few cases of inet_top failed in the logs. I suggest the
attached obvious patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: application/octet-stream
Size: 303 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/rsync/attachments/20110711/fd642208/attachment.obj>
More information about the rsync
mailing list