Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak in outside_network.c #78

Closed
rdrozhdzh opened this issue Sep 18, 2019 · 4 comments
Closed

Memory leak in outside_network.c #78

rdrozhdzh opened this issue Sep 18, 2019 · 4 comments

Comments

@rdrozhdzh
Copy link

@rdrozhdzh rdrozhdzh commented Sep 18, 2019

In function outnet_serviced_query(), first serviced_query object is created at

/* make new serviced query entry */
sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
tcp_upstream, ssl_upstream, tls_auth_name, addr,
addrlen, zone, zonelen, (int)qinfo->qtype,
qstate->edns_opts_back_out);

which potentially allocates memory for the fields qbuf, zone, tls_auth_name and opt_list.

And later under some conditions, this object can be destroyed, but only qbuf and zone fields are released at

if(!serviced_udp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
free(sq->qbuf);
free(sq->zone);
free(sq);

and
if(!serviced_tcp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
free(sq->qbuf);
free(sq->zone);
free(sq);

Probably, the function serviced_delete() or serviced_node_del() should be used instead for destroying the serviced_query object.

@wcawijngaards

This comment has been minimized.

Copy link
Member

@wcawijngaards wcawijngaards commented Sep 19, 2019

Yes serviced_node_del is the function we can use here. Thank you for the report!

wcawijngaards added a commit that referenced this issue Sep 19, 2019
@rdrozhdzh

This comment has been minimized.

Copy link
Author

@rdrozhdzh rdrozhdzh commented Sep 19, 2019

You must not remove lines

  free(cb);

in both cases. The variable cb is not related to the serviced_query object being destroyed

@wcawijngaards

This comment has been minimized.

Copy link
Member

@wcawijngaards wcawijngaards commented Sep 19, 2019

You are correct, and I fixed it in 554e4a9 after the code analyzer (clang) found it!

@rdrozhdzh

This comment has been minimized.

Copy link
Author

@rdrozhdzh rdrozhdzh commented Sep 19, 2019

ok, I see it now, thank you!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Sep 21, 2019
* nlnet/master: (22 commits)
  Changelog entry for NLnetLabs#83 - Merge NLnetLabs#83 from Maryse47: contrib/unbound.service.in: do not fork   into the background.
  unbound.service.in: do not fork into the background
  Changelog entry for NLnetLabs#81. - Merge NLnetLabs#81 from Maryse47: Consistently use /dev/urandom instead   of /dev/random in scripts and docs.
  (Changelog entry for NLnetLabs#82). - Merge NLnetLabs#82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW   in unbound.service.
  Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service
  Consistently use /dev/urandom instead of /dev/random in scripts and docs
  - Merge NLnetLabs#80 from stasic: Improve wording in man page. (Changelog entry for merge)
  Improve wording in man page
  - Fix wrong response ttl for prepended short CNAME ttls, this would   create a wrong zero_ttl response count with serve-expired enabled.
  - Fix for oss-fuzz build warning.
  - Fix fix for NLnetLabs#78 to also free service callback struct.
  - oss-fuzz badge on README.md.
  - Merge pull request NLnetLabs#76 from Maryse47: Improvements and fixes for   systemd unbound.service. (Changelog note for merge of NLnetLabs#76).
  - Fix NLnetLabs#78: Memory leak in outside_network.c.
  Improvements and fixes for systemd unbound.service
  - Use explicit bzero for wiping clear buffer of hash in cachedb,   reported by Eric Sesterhenn from X41 D-Sec.
  - Fix NLnetLabs#72: configure --with-syslog-facility=LOCAL0-7 with default   LOG_DAEMON (as before) can set the syslog facility that the server   uses to log messages.
  - Fix NLnetLabs#71: fix openssl error squelch commit compilation error.
  - squelch DNS over TLS errors 'ssl handshake failed crypto error'   on low verbosity, they show on verbosity 3 (query details), because   there is a high volume and the operator cannot do anything for the   remote failure.  Specifically filters the high volume errors.
  - updated Makefile dependencies.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.