From jinmei@ocean.jinmei.org  Wed Jun 16 03:50:00 2004
Return-Path: <jinmei@ocean.jinmei.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D21E616A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Jun 2004 03:50:00 +0000 (GMT)
Received: from ocean.jinmei.org (kame201.kame.net [203.178.141.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37A1D43D5F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Jun 2004 03:50:00 +0000 (GMT)
	(envelope-from jinmei@ocean.jinmei.org)
Received: by ocean.jinmei.org (Postfix, from userid 2308)
	id 4AFA633F; Wed, 16 Jun 2004 12:48:30 +0900 (JST)
Message-Id: <20040616034830.4AFA633F@ocean.jinmei.org>
Date: Wed, 16 Jun 2004 12:48:30 +0900 (JST)
From: JINMEI Tatuya <jinmei@ocean.jinmei.org>
Reply-To: JINMEI Tatuya <jinmei@ocean.jinmei.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: getaddrinfo.c uses a dangling pointer
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         67994
>Category:       bin
>Synopsis:       getaddrinfo.c uses a dangling pointer
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 16 03:50:21 GMT 2004
>Closed-Date:    Wed Jun 16 18:31:20 GMT 2004
>Last-Modified:  Wed Jun 16 18:31:20 GMT 2004
>Originator:     JINMEI Tatuya
>Release:        FreeBSD 4.9-RELEASE i386
>Organization:
The KAME Project
>Environment:
System: FreeBSD ocean.jinmei.org 4.9-RELEASE FreeBSD 4.9-RELEASE #36: Wed May 19 18:16:55 JST 2004 jinmei@ocean.jinmei.org:/home/jinmei/src/kame/kame/freebsd4/sys/compile/SS2010_SCTP i386

Machine: Toshiba Portege 2000
OS: see above
I'm using a KAME snapshot, but it should be irrelevant to this report.

>Description:

lib/libc/net/getaddrinfo.c:_dns_getaddrinfo() uses a dangling
(uninitialized) pointer "addr" in the res_target structure.
This could potentially make the library crash in e.g., the getanswer
function in this file.  Fortunately, however, the illegal pointer
access should actually not happen, since this pointer should always be
set correctly in getanswer() in this context.

But I believe the bug should be corrected for future changes that
might trigger the crash.

>How-To-Repeat:

None (the bug currently does not code an actual problem).

>Fix:

Apply the below patch.  Apparently, the CURRENT also needs this fix.

Index: getaddrinfo.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/net/getaddrinfo.c,v
retrieving revision 1.9.2.14
diff -u -r1.9.2.14 getaddrinfo.c
--- getaddrinfo.c	8 Nov 2002 17:49:31 -0000	1.9.2.14
+++ getaddrinfo.c	16 Jun 2004 03:26:47 -0000
@@ -1493,7 +1493,6 @@
 {
 	struct addrinfo *ai;
 	querybuf *buf, *buf2;
-	const char *name;
 	struct addrinfo sentinel, *cur;
 	struct res_target q, q2;
 
@@ -1517,27 +1516,27 @@
 	switch (pai->ai_family) {
 	case AF_UNSPEC:
 		/* prefer IPv6 */
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_AAAA;
 		q.answer = buf->buf;
 		q.anslen = sizeof(buf->buf);
 		q.next = &q2;
-		q2.name = name;
+		q2.name = hostname;
 		q2.qclass = C_IN;
 		q2.qtype = T_A;
 		q2.answer = buf2->buf;
 		q2.anslen = sizeof(buf2->buf);
 		break;
 	case AF_INET:
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_A;
 		q.answer = buf->buf;
 		q.anslen = sizeof(buf->buf);
 		break;
 	case AF_INET6:
-		q.name = name;
+		q.name = hostname;
 		q.qclass = C_IN;
 		q.qtype = T_AAAA;
 		q.answer = buf->buf;

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Wed Jun 16 05:45:47 GMT 2004 
Responsible-Changed-Why:  
I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=67994 
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Wed Jun 16 18:29:36 GMT 2004 
State-Changed-Why:  
Thanks, committed! 
There is no problem mentioned in this PR on 5-CURRENT. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=67994 
>Unformatted:
