tinc 1.1: freeaddrinfo(NULL) crash on windows
Todd C. Miller
Todd.Miller at sudo.ws
Mon Jan 22 17:51:33 CET 2018
On Windows, freeaddrinfo(NULL) will result in a segv. In
get_recent_address(), there is the following block of code:
if(cache->aip) {
sockaddr_t *sa = (sockaddr_t *)cache->aip->ai_addr;
cache->aip = cache->aip->ai_next;
if(!cache->aip) {
freeaddrinfo(cache->aip);
cache->aip = NULL;
}
return sa;
}
where freeaddrinfo() is called when cache->aip is guaranteed to be
NULL. I get a bit confused with respect to cache->ai vs. cache->aip
but that part of the code looks suspicious.
At first I thought it was intended to free the old value of cache->aip
but since sa points to memory within that chunk, freeing it would
result in a use after free situation.
- todd
More information about the tinc-devel
mailing list