tinc 1.1: freeaddrinfo(NULL) crash on windows
Todd C. Miller
Todd.Miller at sudo.ws
Fri Feb 16 22:26:36 CET 2018
On Mon, 22 Jan 2018 18:08:22 +0100, Guus Sliepen wrote:
> Thanks for reporting this bug! Indeed, that code is wrong. It should
> free cache->ai instead of cache->aip. Even if it didn't crash on Linux,
> it was a memory leak. A fix is now in the git repository.
The fix leads to a use after free bug which is visible on macOS.
It doesn't seem to be much of a problem on most platforms since a
copy of freed memory is made almost immediately but on macOS the
memory appears to be cleared much of the time. This results in an
attempt to connect to an AF_UNSPEC socket with no address, which
of course fails.
A potential fix, modeled on the "recently seen addresses not in our
cache" part of get_recent_address() is:
https://github.com/gsliepen/tinc/pull/177
Another approach would be to pass the sockaddr_t to get_recent_address()
and fill it in there. I can write a diff for that if you'd like.
I also noticed a problem with the recently seen but uncached code
which was hidden by a cast as well as a buffer overflow (read, not
write). The PR includes fixes for these two as well.
- todd
More information about the tinc-devel
mailing list