Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free in cache_remove_uid().

Browse Source 
Thanks to Kevin Darbyshire-Bryant for the bug report.
This commit is contained in:
Simon Kelley
2023-11-13 22:08:08 +00:00
parent 77ef9b2603
commit 568fb02449
1 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/cache.c
View File

@@ -425,18 +425,21 @@ unsigned int cache_remove_uid(const unsigned int uid)
{ {
int i; int i;
unsigned int removed = 0; unsigned int removed = 0;
struct crec *crecp, **up; struct crec *crecp, *tmp, **up;
for (i = 0; i < hash_size; i++) for (i = 0; i < hash_size; i++)
for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next) for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = tmp)
{
tmp = crecp->hash_next;
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid) if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
{ {
*up = crecp->hash_next; *up = tmp;
free(crecp); free(crecp);
removed++; removed++;
} }
else else
up = &crecp->hash_next; up = &crecp->hash_next;
}
return removed; return removed;
} }