Fix leak and crash in ares_parse_a/aaaa_reply (#264)

* fix leak if naddress of particular type found * fix segfault when wanted ttls count lesser than count of result records * add fuzzer input files that trigger problems (from #263) Reported-By: David Drysdale (@daviddrysdale) Fix-By: Andrew Selivanov (@ki11roy)
6 years ago · b949cc3ddf
parent 5dd3629bc9
commit b949cc3ddf
13 changed files with 14 additions and 4 deletions
--- a/ares_parse_a_reply.c
+++ b/ares_parse_a_reply.c
@ -71,7 +71,7 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,

      if (naddrttls)
        {
-          *naddrttls = naddrs;
+          *naddrttls = 0;
        }

      return status;
@ -162,7 +162,7 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
              memcpy(hostent->h_addr_list[i],
                     &(((struct sockaddr_in *)next->ai_addr)->sin_addr),
                     sizeof(struct in_addr));
-              if (naddrttls)
+              if (naddrttls && i < *naddrttls)
                {
                  if (next->ai_ttl > cname_ttl)
                    addrttls[i].ttl = cname_ttl;
@ -177,6 +177,10 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
            }
          next = next->ai_next;
        }
+      if (i == 0)
+        {
+          ares_free(addrs);
+        }
    }

  if (host)
--- a/ares_parse_aaaa_reply.c
+++ b/ares_parse_aaaa_reply.c
@ -73,7 +73,7 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,

      if (naddrttls)
        {
-          *naddrttls = naddrs;
+          *naddrttls = 0;
        }

      return status;
@ -164,7 +164,7 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
              memcpy(hostent->h_addr_list[i],
                     &(((struct sockaddr_in6 *)next->ai_addr)->sin6_addr),
                     sizeof(struct ares_in6_addr));
-              if (naddrttls)
+              if (naddrttls && i < *naddrttls)
                {
                    if(next->ai_ttl > cname_ttl)
                      addrttls[i].ttl = cname_ttl;
@ -179,6 +179,11 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
            }
          next = next->ai_next;
        }
+
+      if (i == 0)
+        {
+          ares_free(addrs);
+        }
    }

  if (host)
--- a/test/fuzzcheck.sh
+++ b/test/fuzzcheck.sh
@ -1,4 +1,5 @@
 #!/bin/sh
+set -e
 # Check that all of the base fuzzing corpus parse without errors
 ./aresfuzz fuzzinput/*
 ./aresfuzzname fuzznames/*
--- a/test/fuzzinput/clusterfuzz-5650695891451904
+++ b/test/fuzzinput/clusterfuzz-5650695891451904
--- a/test/fuzzinput/clusterfuzz-5651369832218624
+++ b/test/fuzzinput/clusterfuzz-5651369832218624
--- a/test/fuzzinput/clusterfuzz-5674462260756480
+++ b/test/fuzzinput/clusterfuzz-5674462260756480
--- a/test/fuzzinput/clusterfuzz-5680630672654336
+++ b/test/fuzzinput/clusterfuzz-5680630672654336
--- a/test/fuzzinput/clusterfuzz-5683497160671232
+++ b/test/fuzzinput/clusterfuzz-5683497160671232
--- a/test/fuzzinput/clusterfuzz-5687310655422464
+++ b/test/fuzzinput/clusterfuzz-5687310655422464
--- a/test/fuzzinput/clusterfuzz-5695341573177344
+++ b/test/fuzzinput/clusterfuzz-5695341573177344
--- a/test/fuzzinput/clusterfuzz-5697835103682560
+++ b/test/fuzzinput/clusterfuzz-5697835103682560
--- a/test/fuzzinput/clusterfuzz-5728518081609728
+++ b/test/fuzzinput/clusterfuzz-5728518081609728
--- a/test/fuzzinput/clusterfuzz-5732960017317888
+++ b/test/fuzzinput/clusterfuzz-5732960017317888