Null deref if ares_getaddrinfo() is terminated with ares_destroy()

bradh352 · bradh352 · commit df947034d960 · 2021-03-02T18:15:49.000-05:00
ares_freeaddrinfo() was not checking for a Null ptr during cleanup of an aborted query. Once that was resolved it uncovered another possible issue with multiple simultaneous underlying queries being outstanding and possibly prematurely cleaning up the handle. Reported By: Michael Kourlas Fix By: Brad House (@bradh352)
diff --git a/src/lib/ares_freeaddrinfo.c b/src/lib/ares_freeaddrinfo.c
@@ -51,6 +51,8 @@ void ares__freeaddrinfo_nodes(struct ares_addrinfo_node *head)
 
 void ares_freeaddrinfo(struct ares_addrinfo *ai)
 {
+  if (ai == NULL)
+    return;
   ares__freeaddrinfo_cnames(ai->cnames);
   ares__freeaddrinfo_nodes(ai->nodes);
   ares_free(ai);
diff --git a/src/lib/ares_getaddrinfo.c b/src/lib/ares_getaddrinfo.c
@@ -544,11 +544,6 @@ static void host_callback(void *arg, int status, int timeouts,
     {
       addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);
     }
-  else if (status == ARES_EDESTRUCTION)
-    {
-      end_hquery(hquery, status);
-      return;
-    }
 
   if (!hquery->remaining)
     {
@@ -566,6 +561,13 @@ static void host_callback(void *arg, int status, int timeouts,
         {
           next_lookup(hquery, status);
         }
+      else if (status == ARES_EDESTRUCTION)
+        {
+          /* NOTE: Could also be ARES_EDESTRUCTION.  We need to only call this
+           * once all queries (there can be multiple for getaddrinfo) are
+           * terminated.  */
+          end_hquery(hquery, status);
+        }
       else
         {
           end_hquery(hquery, status);

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,8 @@ void ares__freeaddrinfo_nodes(struct ares_addrinfo_node *head)`
`51`	`51`
`52`	`52`	`void ares_freeaddrinfo(struct ares_addrinfo *ai)`
`53`	`53`	`{`
	`54`	`+ if (ai == NULL)`
	`55`	`+ return;`
`54`	`56`	`ares__freeaddrinfo_cnames(ai->cnames);`
`55`	`57`	`ares__freeaddrinfo_nodes(ai->nodes);`
`56`	`58`	`ares_free(ai);`
Original file line number	Diff line number	Diff line change
`@@ -544,11 +544,6 @@ static void host_callback(void *arg, int status, int timeouts,`
`544`	`544`	`{`
`545`	`545`	`addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);`
`546`	`546`	`}`
`547`		`- else if (status == ARES_EDESTRUCTION)`
`548`		`- {`
`549`		`- end_hquery(hquery, status);`
`550`		`- return;`
`551`		`- }`
`552`	`547`
`553`	`548`	`if (!hquery->remaining)`
`554`	`549`	`{`
`@@ -566,6 +561,13 @@ static void host_callback(void *arg, int status, int timeouts,`
`566`	`561`	`{`
`567`	`562`	`next_lookup(hquery, status);`
`568`	`563`	`}`
	`564`	`+ else if (status == ARES_EDESTRUCTION)`
	`565`	`+ {`
	`566`	`+ /* NOTE: Could also be ARES_EDESTRUCTION. We need to only call this`
	`567`	`+ * once all queries (there can be multiple for getaddrinfo) are`
	`568`	`+ * terminated. */`
	`569`	`+ end_hquery(hquery, status);`
	`570`	`+ }`
`569`	`571`	`else`
`570`	`572`	`{`
`571`	`573`	`end_hquery(hquery, status);`