Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free in cache_remove_uid().

Browse Source 
Thanks to Kevin Darbyshire-Bryant for the bug report.
This commit is contained in:
Simon Kelley
2023-11-13 22:08:08 +00:00
parent 77ef9b2603
commit 568fb02449
1 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/cache.c
View File

@@ -425,18 +425,21 @@ unsigned int cache_remove_uid(const unsigned int uid)
{ {
int i; int i;
unsigned int removed = 0; unsigned int removed = 0;
struct crec *crecp, **up; struct crec *crecp, *tmp, **up;
for (i = 0; i < hash_size; i++) for (i = 0; i < hash_size; i++)
for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next) for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = tmp)
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid) {
{ tmp = crecp->hash_next;
*up = crecp->hash_next; if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
free(crecp); {
removed++; *up = tmp;
} free(crecp);
else removed++;
up = &crecp->hash_next; }
else
up = &crecp->hash_next;
}
return removed; return removed;
} }