[Bug 855477] [NEW] _nss_nis_gethostbyname4_r() leaks memory on parse error

Ralph Corderoy ralph at inputplus.co.uk
Wed Sep 21 12:04:15 UTC 2011 

Public bug reported:

eglibc-2.13, nis/nss_nis/nis-hosts.c:
    452 enum nss_status
    453 _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
    454                            char *buffer, size_t buflen, int *errnop,
    455                            int *herrnop, int32_t *ttlp)
    456 {
    ...
    473   char *result;
    474   int len;
    475   int yperr = yp_match (domain, "hosts.byname", name2, namlen, &result, &len    );
    ...
    522   int parse_res = parse_line (result, &host, data, buflen, errnop, AF_UNSPEC    ,
    523                               0);
    524   if (__builtin_expect (parse_res < 1, 0))
    525     {
    526       if (parse_res == -1)
    527         {
    528           *herrnop = NETDB_INTERNAL;
    529           return NSS_STATUS_TRYAGAIN;
    530         }
    531       else
    532         {
    533           *herrnop = HOST_NOT_FOUND;
    534           return NSS_STATUS_NOTFOUND;
    535         }
    536     }
    ...
    553   free (result);
    554
    555   return NSS_STATUS_SUCCESS;
    556 }

#475's yp_match() malloc()s the memory for `result'.  It's free()d at 
#553 but not if there's a parse error from parse_line() at #522 and we
instead return early due to #529 or #534.

** Affects: eglibc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/855477

Title:
  _nss_nis_gethostbyname4_r() leaks memory on parse error

Status in “eglibc” package in Ubuntu:
  New

Bug description:
  eglibc-2.13, nis/nss_nis/nis-hosts.c:
      452 enum nss_status
      453 _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
      454                            char *buffer, size_t buflen, int *errnop,
      455                            int *herrnop, int32_t *ttlp)
      456 {
      ...
      473   char *result;
      474   int len;
      475   int yperr = yp_match (domain, "hosts.byname", name2, namlen, &result, &len    );
      ...
      522   int parse_res = parse_line (result, &host, data, buflen, errnop, AF_UNSPEC    ,
      523                               0);
      524   if (__builtin_expect (parse_res < 1, 0))
      525     {
      526       if (parse_res == -1)
      527         {
      528           *herrnop = NETDB_INTERNAL;
      529           return NSS_STATUS_TRYAGAIN;
      530         }
      531       else
      532         {
      533           *herrnop = HOST_NOT_FOUND;
      534           return NSS_STATUS_NOTFOUND;
      535         }
      536     }
      ...
      553   free (result);
      554
      555   return NSS_STATUS_SUCCESS;
      556 }

  #475's yp_match() malloc()s the memory for `result'.  It's free()d at 
  #553 but not if there's a parse error from parse_line() at #522 and we
  instead return early due to #529 or #534.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/855477/+subscriptions

More information about the foundations-bugs mailing list