From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13808 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Peter Wagner Newsgroups: gmane.linux.lib.musl.general Subject: Freeing the ai_canonname in the getaddrinfo directly leads to a Segmentation fault Date: Sun, 17 Feb 2019 15:55:31 +0100 Message-ID: <20190217155531.31d2d938@onion.lan> Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="113066"; mail-complaints-to="usenet@blaine.gmane.org" To: musl@lists.openwall.com Original-X-From: musl-return-13824-gllmg-musl=m.gmane.org@lists.openwall.com Sun Feb 17 15:54:56 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1gvNqK-000TGS-Ip for gllmg-musl@m.gmane.org; Sun, 17 Feb 2019 15:54:56 +0100 Original-Received: (qmail 26084 invoked by uid 550); 17 Feb 2019 14:54:51 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 26049 invoked from network); 17 Feb 2019 14:54:50 -0000 X-Provags-ID: V03:K1:yDouRPasZx50fT65UxQvati9U3wTcJ5m/9C0WwT+2WrjyxOrx9x 3UHLSl2feIg38nRUztKYqehadhPvQc7qvi0u7PFYaIlHVSVrx0+oUZ4naHpIaHuHDfxFJKv bBdxqTY+LQwMPQYPlgmj1nkd3JmHlzOelFSMCQKAS1uKKrIuuZgR2hRzT5LKmdTHnQmbqVy j/DtEZTfajlhvR/PHJp7A== X-UI-Out-Filterresults: notjunk:1;V03:K0:6CM5wNn9f3o=:EBoM0GHB6F2xQKAvwG/MEm Kvc3MX62lYmniJnaAZCgyzV2aWQfeYLQsc/L2I7+OcKK5Qwn/brqDdUPf5bDKFy6RJzs/mrgy DN+uhE76Sk6z5fCPvlwX7O6Xi41yC5BkXKnVRwDUjFaEQKif5SMX+V6NV0LC/OXYSbiEG2sg7 JrKdPTifGbMA3DkYOtUhqzA2b9pGvCkwV3LLBDpFe3ifCCY8Uqwnha4UuVLBT6zwybzNEDzaP 6TfsqeeQkTVrdzwHP2becefwodqHIF8Kpjnd80mpHiOClGOaIMe9MOIBjdWdylXR+xPfFE/b+ WEVni9XtgCiTCQ8/enJyw5dU7XlJEq9hJ6ZxgWYdfBlqH+I1oHqaZWuC2ZAPw3JAXTpWBy5gb S8mQIf69r0uOJ128d1tM+3ga8yFxiD9kBnznhGSzChwCHdCm5n8OoIWsW51+nvYmC7G/BgV4Q nwLp6nZnviBQmEUawckGUERIOL2i+uOwCpKRoqi6XRx4370dT1pgzI+5Ig11eYN7u4mWQdpxr oZMF9cDoWIQXBIsFzQOtpaq4ySihVBgGZ5GJUKvj1AJ03JXzu+7TZ2a7yx0IR8AvkX3yDiRRD p5aZHZ8NsD41lzUflujauczi7+4e4B3IQF3Ryaue7+D0QuDygLnH5V5E4eZD7poWZCiVALtm9 ie4LNo7vWRVxCXjCwBfuib9hIJP3/uqPNgWA70kBP+H+7z+cJRkDGPzEpNYOnba1trneVQGye 87eTyjo/uVZNShgCIFR5CCsnkznU7x9bnctg6uKAqQAW+0I3fSrB1qv7km6Tg5BzSkCTbSxG Xref: news.gmane.org gmane.linux.lib.musl.general:13808 Archived-At: Hello, after the latest update to musl 1.1.21 this code compiles on glibc without a problem and works. It compiles for musl too but it crashes at the free. #include #include #include #include int main(){ int error; const char *paddr =3D "192.168.1.1"; struct addrinfo *ai =3D NULL; struct addrinfo hint =3D { /* don't return duplicates */ .ai_protocol =3D (int)IPPROTO_UDP, .ai_flags =3D AI_NUMERICHOST, .ai_family =3D AF_UNSPEC, }; error =3D getaddrinfo(paddr, NULL, &hint, &ai); if ( ! error ) { free(ai->ai_canonname); /* crashes here*/ } } The gdb backtrace: (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __bin_chunk (self=3D0x77ffffbc) at src/malloc/malloc.c:450 450 if (next->psize !=3D self->csize) a_crash(); (gdb) bt #0 __bin_chunk (self=3D0x77ffffbc) at src/malloc/malloc.c:450 #1 0x004006b0 in main () at foo.c:22 The corresponding code in malloc.c: =E2=94=82449 /* Crash on corrupted footer (likely from buffer overflow)= */ =E2=94=82 >=E2=94=82450 if (next->psize !=3D self->csize) a_crash();=20 Shouldn't it be possible to free a part of a structure instead of freeing the addrinfo structure ai points to as a whole? Regards, Peter Wagner