Memory leak in outside_network.c

[rdrozhdzh]

In function outnet_serviced_query(), first serviced_query object is created at

unbound/services/outside_network.c

Lines 2124 to 2128 in 13d9654

	/* make new serviced query entry */
	sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
	tcp_upstream, ssl_upstream, tls_auth_name, addr,
	addrlen, zone, zonelen, (int)qinfo->qtype,
	qstate->edns_opts_back_out);

which potentially allocates memory for the fields qbuf, zone, tls_auth_name and opt_list.

And later under some conditions, this object can be destroyed, but only qbuf and zone fields are released at

unbound/services/outside_network.c

Lines 2135 to 2139 in 13d9654

	if(!serviced_udp_send(sq, buff)) {
	(void)rbtree_delete(outnet->serviced, sq);
	free(sq->qbuf);
	free(sq->zone);
	free(sq);

and

unbound/services/outside_network.c

Lines 2144 to 2148 in 13d9654

	if(!serviced_tcp_send(sq, buff)) {
	(void)rbtree_delete(outnet->serviced, sq);
	free(sq->qbuf);
	free(sq->zone);
	free(sq);

Probably, the function serviced_delete() or serviced_node_del() should be used instead for destroying the serviced_query object.

[wcawijngaards]

Yes serviced_node_del is the function we can use here. Thank you for the report!

[rdrozhdzh]

You must not remove lines

  free(cb);

in both cases. The variable cb is not related to the serviced_query object being destroyed

[wcawijngaards]

You are correct, and I fixed it in 554e4a9 after the code analyzer (clang) found it!

[rdrozhdzh]

ok, I see it now, thank you!