use-after-free in open_socket_out

Carlos Carvalho carlos at
Mon Jul 11 18:39:58 MDT 2011

Since 3.0.8 (the same in 3.1) we have this around line 300 in socket.c:


    if (s < 0) {
        char buf[2048];
        for (res = res0, j = 0; res; res = res->ai_next, j++) {
            if (errnos[j] == 0)
            if (inet_ntop(res->ai_family, res->ai_addr->sa_data + 2, buf, sizeof buf) == NULL)
                strlcpy(buf, "*inet_ntop failed*", sizeof buf);
            rsyserr(FERROR, errnos[j], "failed to connect to %s (%s)", h, buf);
        s = -1;

res0 is freed but keeps its value so there's access to freed memory in
res->ai* in the call of inet_ntop if s < 0. This might explain why
we've got a few cases of inet_top failed in the logs. I suggest the
attached obvious patch.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: application/octet-stream
Size: 303 bytes
Desc: not available
URL: <>

More information about the rsync mailing list