ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

[master] use-after-free in isc_radix_remove()

Browse Source 
3826.	[bug]		Corrected a use-after-free in isc_radix_remove().
			(This function is not used in BIND, but could have
			caused problems in programs linking to libisc.)
			[RT #35870]
This commit is contained in:
Evan Hunt
2014-04-29 15:21:46 -07:00
parent e54767a3c9
commit 3e5743068c
2 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1,3 +1,8 @@
3826. [bug] Corrected a use-after-free in isc_radix_remove().
(This function is not used in BIND, but could have
caused problems in programs linking to libisc.)
[RT #35870]
3825. [bug] Address sign extension bug in isc_regex_validate.
[RT #35758]

17
lib/isc/radix.c
View File

@@ -634,12 +634,12 @@ isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
if (node->r == NULL && node->l == NULL) {
parent = node->parent;
_deref_prefix(node->prefix);
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
if (parent == NULL) {
INSIST(radix->head == node);
radix->head = NULL;
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
return;
}
@@ -652,11 +652,13 @@ isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
child = parent->r;
}
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
if (parent->prefix)
return;
/* We need to remove parent too. */
if (parent->parent == NULL) {
INSIST(radix->head == parent);
radix->head = child;
@@ -666,6 +668,7 @@ isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
INSIST(parent->parent->l == parent);
parent->parent->l = child;
}
child->parent = parent->parent;
isc_mem_put(radix->mctx, parent, sizeof(*parent));
radix->num_active_node--;
@@ -678,19 +681,23 @@ isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
INSIST(node->l != NULL);
child = node->l;
}
parent = node->parent;
child->parent = parent;
_deref_prefix(node->prefix);
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
if (parent == NULL) {
INSIST(radix->head == node);
radix->head = child;
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
return;
}
isc_mem_put(radix->mctx, node, sizeof(*node));
radix->num_active_node--;
if (parent->r == node) {
parent->r = child;
} else {