From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 19 Feb 2015 01:05:33 +0000 (+0000)
Subject: src/types.c: Do not crash when one of several addr subqueries fails
X-Git-Tag: adns-1.5.1~9
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commitdiff_plain;h=f80690def49ab15ee32f01aaa3d2577807fef4ce

src/types.c: Do not crash when one of several addr subqueries fails

If a name passed to the addr lookup machinery (eg, passed to an
adns_r_addr query, or resulting from a dereferencing query like
adns_r_mx) has addresses for one address family (eg IPv4) but
temporary failure for another (eg IPv6) then adns might (would
usually) crash.

This is because icb_hostaddr would fail to reset the accumulated addrs
pointer to 0 after freeing it, and then set naddrs to -1.  The crash
would occur in makefinal, which would attempt to arrange to copy -1
elements into the unifed output buffer.

If the second AF gives a permanent error, the relevant part of the
answer would contain an invalid (freed) pointer, with a zero length.
The result during makefinal_query would be to allocate a zero length
`block' in the unified output result buffer and put the pointer to
that in the answer for the application, which is a violation of the
promised API.

This bug was introduced with IPv6 support (in 1.5.0, in commit
2ca5496dfc95).

A test case for this bug will be introduced shortly.

Reported-by: Chris Burton of 8086.net
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/changelog b/changelog
index 77eda68..41ef965 100644
--- a/changelog
+++ b/changelog
@@ -6,6 +6,12 @@ adns (1.5.1~~) unstable; urgency=low
   * Fix TCP async connect handling.  The bug is hidden on Linux and on most
     systems where the nameserver is on localhost.  If it is not hidden,
     adns's TCP support is broken unless adns_if_noautosys is used.
+  * Fix addr queries (including subqueries, ie including deferencing MX
+    lookups etc.) not to crash when one of the address queries returns
+    tempfail.  Also, do not return a spurious pointer to the application
+    when one of the address queries returns a permanent error (although,
+    the application almost certainly won't use this pointer because the
+    associated count is zero).
 
  --
 
diff --git a/src/types.c b/src/types.c
index d65e155..142a942 100644
--- a/src/types.c
+++ b/src/types.c
@@ -892,6 +892,7 @@ static void icb_hostaddr(adns_query parent, adns_query child) {
 done:
   if (st) {
     adns__free_interim(parent, rrp->addrs);
+    rrp->addrs = 0;
     rrp->naddrs= (st>0 && st<=adns_s_max_tempfail) ? -1 : 0;
   }