ares_set_servers_csv() on failure should not leave channel in a bad s…

…tate If bad data is passed to ares_set_servers_csv() or ares_set_servers_ports_csv() it will clear the existing channel configured DNS servers, then a call to ares_send() will fail due to a bad malloc which may have undefined behavior. The fix now only clears existing servers on success. An additional sanity check was added in ares_send() to ensure nservers >= 1 or will result in ARES_ESERVFAIL. Bug: https://c-ares.haxx.se/mail/c-ares-archive-2018-03/0000.shtml Reported-by: Francisco Sedano Crippa
c-ares · Mar 15, 2018 · d0f7d5e · d0f7d5e
1 parent 5786f6d
commit d0f7d5e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/ares_options.c b/ares_options.c
@@ -258,8 +258,6 @@ static int set_servers_csv(ares_channel channel,
   if (!channel)
     return ARES_ENODATA;
 
-  ares__destroy_servers_state(channel);
-
   i = strlen(_csv);
   if (i == 0)
      return ARES_SUCCESS; /* blank all servers */

diff --git a/ares_send.c b/ares_send.c
@@ -60,6 +60,12 @@ void ares_send(ares_channel channel, const unsigned char *qbuf, int qlen,
       callback(arg, ARES_ENOMEM, 0, NULL, 0);
       return;
     }
+  if (channel->nservers < 1)
+    {
+      ares_free(query);
+      callback(arg, ARES_ESERVFAIL, 0, NULL, 0);
+      return;
+    }
   query->server_info = ares_malloc(channel->nservers *
                                    sizeof(query->server_info[0]));
   if (!query->server_info)