Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak in outside_network.c #78

Closed
rdrozhdzh opened this issue Sep 18, 2019 · 4 comments
Closed

Memory leak in outside_network.c #78

rdrozhdzh opened this issue Sep 18, 2019 · 4 comments

Comments

@rdrozhdzh
Copy link

In function outnet_serviced_query(), first serviced_query object is created at

unbound/services/outside_network.c

Lines 2124 to 2128 in 13d9654

/* make new serviced query entry */
sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
tcp_upstream, ssl_upstream, tls_auth_name, addr,
addrlen, zone, zonelen, (int)qinfo->qtype,
qstate->edns_opts_back_out);

which potentially allocates memory for the fields qbuf, zone, tls_auth_name and opt_list.

And later under some conditions, this object can be destroyed, but only qbuf and zone fields are released at

unbound/services/outside_network.c

Lines 2135 to 2139 in 13d9654

if(!serviced_udp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
free(sq->qbuf);
free(sq->zone);
free(sq);

and

unbound/services/outside_network.c

Lines 2144 to 2148 in 13d9654

if(!serviced_tcp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
free(sq->qbuf);
free(sq->zone);
free(sq);

Probably, the function serviced_delete() or serviced_node_del() should be used instead for destroying the serviced_query object.
@wcawijngaards
Copy link
Member

Yes serviced_node_del is the function we can use here. Thank you for the report!

wcawijngaards added a commit that referenced this issue Sep 19, 2019
@wcawijngaards
- Fix fix for #78 to also free service callback struct.
554e4a9
@rdrozhdzh
Copy link
Author

You must not remove lines

  free(cb);

in both cases. The variable cb is not related to the serviced_query object being destroyed

@wcawijngaards
Copy link
Member

You are correct, and I fixed it in 554e4a9 after the code analyzer (clang) found it!

@rdrozhdzh
Copy link
Author

ok, I see it now, thank you!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Sep 21, 2019
@jedisct1
Merge remote-tracking branch 'nlnet/master'
35ac577 
* nlnet/master: (22 commits)
  Changelog entry for NLnetLabs#83 - Merge NLnetLabs#83 from Maryse47: contrib/unbound.service.in: do not fork   into the background.
  unbound.service.in: do not fork into the background
  Changelog entry for NLnetLabs#81. - Merge NLnetLabs#81 from Maryse47: Consistently use /dev/urandom instead   of /dev/random in scripts and docs.
  (Changelog entry for NLnetLabs#82). - Merge NLnetLabs#82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW   in unbound.service.
  Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service
  Consistently use /dev/urandom instead of /dev/random in scripts and docs
  - Merge NLnetLabs#80 from stasic: Improve wording in man page. (Changelog entry for merge)
  Improve wording in man page
  - Fix wrong response ttl for prepended short CNAME ttls, this would   create a wrong zero_ttl response count with serve-expired enabled.
  - Fix for oss-fuzz build warning.
  - Fix fix for NLnetLabs#78 to also free service callback struct.
  - oss-fuzz badge on README.md.
  - Merge pull request NLnetLabs#76 from Maryse47: Improvements and fixes for   systemd unbound.service. (Changelog note for merge of NLnetLabs#76).
  - Fix NLnetLabs#78: Memory leak in outside_network.c.
  Improvements and fixes for systemd unbound.service
  - Use explicit bzero for wiping clear buffer of hash in cachedb,   reported by Eric Sesterhenn from X41 D-Sec.
  - Fix NLnetLabs#72: configure --with-syslog-facility=LOCAL0-7 with default   LOG_DAEMON (as before) can set the syslog facility that the server   uses to log messages.
  - Fix NLnetLabs#71: fix openssl error squelch commit compilation error.
  - squelch DNS over TLS errors 'ssl handshake failed crypto error'   on low verbosity, they show on verbosity 3 (query details), because   there is a high volume and the operator cannot do anything for the   remote failure.  Specifically filters the high volume errors.
  - updated Makefile dependencies.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wcawijngaards @rdrozhdzh