Skip to content

Commit fc3f21a

Browse files
david-cermakdavid-cermak
committed
fix(mdns): Use after free
1 parent c078c36 commit fc3f21a

File tree

1 file changed

+21
-11
lines changed

1 file changed

+21
-11
lines changed

components/mdns/mdns.c

Lines changed: 21 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1568,7 +1568,7 @@ static void _mdns_free_tx_packet(mdns_tx_packet_t *packet)
15681568
mdns_mem_free((char *)q->host);
15691569
mdns_mem_free((char *)q->service);
15701570
mdns_mem_free((char *)q->proto);
1571-
mdns_mem_free((char *)q->domain);
1571+
// Note: q->domain points to MDNS_DEFAULT_DOMAIN constant, don't free it
15721572
}
15731573
mdns_mem_free(q);
15741574
q = next;
@@ -2078,11 +2078,11 @@ static bool _mdns_append_host_question(mdns_out_question_t **questions, const ch
20782078
q->next = NULL;
20792079
q->unicast = unicast;
20802080
q->type = MDNS_TYPE_ANY;
2081-
q->host = hostname;
2081+
q->host = hostname ? mdns_mem_strndup(hostname, MDNS_NAME_BUF_LEN - 1) : NULL;
20822082
q->service = NULL;
20832083
q->proto = NULL;
20842084
q->domain = MDNS_DEFAULT_DOMAIN;
2085-
q->own_dynamic_memory = false;
2085+
q->own_dynamic_memory = true;
20862086
if (_mdns_question_exists(q, *questions)) {
20872087
mdns_mem_free(q);
20882088
} else {
@@ -2127,11 +2127,11 @@ static mdns_tx_packet_t *_mdns_create_probe_packet(mdns_if_t tcpip_if, mdns_ip_p
21272127
q->next = NULL;
21282128
q->unicast = first;
21292129
q->type = MDNS_TYPE_ANY;
2130-
q->host = _mdns_get_service_instance_name(services[i]->service);
2131-
q->service = services[i]->service->service;
2132-
q->proto = services[i]->service->proto;
2130+
q->host = _mdns_get_service_instance_name(services[i]->service) ? mdns_mem_strndup(_mdns_get_service_instance_name(services[i]->service), MDNS_NAME_BUF_LEN - 1) : NULL;
2131+
q->service = services[i]->service->service ? mdns_mem_strndup(services[i]->service->service, MDNS_NAME_BUF_LEN - 1) : NULL;
2132+
q->proto = services[i]->service->proto ? mdns_mem_strndup(services[i]->service->proto, MDNS_NAME_BUF_LEN - 1) : NULL;
21332133
q->domain = MDNS_DEFAULT_DOMAIN;
2134-
q->own_dynamic_memory = false;
2134+
q->own_dynamic_memory = true;
21352135
if (!q->host || _mdns_question_exists(q, packet->questions)) {
21362136
mdns_mem_free(q);
21372137
continue;
@@ -2834,13 +2834,23 @@ static void _mdns_remove_scheduled_service_packets(mdns_service_t *service)
28342834
&& qs->service && strcmp(qs->service, service->service) == 0
28352835
&& qs->proto && strcmp(qs->proto, service->proto) == 0) {
28362836
q->questions = q->questions->next;
2837+
if (qs->own_dynamic_memory) {
2838+
mdns_mem_free((char *)qs->host);
2839+
mdns_mem_free((char *)qs->service);
2840+
mdns_mem_free((char *)qs->proto);
2841+
}
28372842
mdns_mem_free(qs);
28382843
} else while (qs->next) {
28392844
qsn = qs->next;
28402845
if (qsn->type == MDNS_TYPE_ANY
28412846
&& qsn->service && strcmp(qsn->service, service->service) == 0
28422847
&& qsn->proto && strcmp(qsn->proto, service->proto) == 0) {
28432848
qs->next = qsn->next;
2849+
if (qsn->own_dynamic_memory) {
2850+
mdns_mem_free((char *)qsn->host);
2851+
mdns_mem_free((char *)qsn->service);
2852+
mdns_mem_free((char *)qsn->proto);
2853+
}
28442854
mdns_mem_free(qsn);
28452855
break;
28462856
}
@@ -5017,11 +5027,11 @@ static mdns_tx_packet_t *_mdns_create_search_packet(mdns_search_once_t *search,
50175027
q->next = NULL;
50185028
q->unicast = search->unicast;
50195029
q->type = search->type;
5020-
q->host = search->instance;
5021-
q->service = search->service;
5022-
q->proto = search->proto;
5030+
q->host = search->instance ? mdns_mem_strndup(search->instance, MDNS_NAME_BUF_LEN - 1) : NULL;
5031+
q->service = search->service ? mdns_mem_strndup(search->service, MDNS_NAME_BUF_LEN - 1) : NULL;
5032+
q->proto = search->proto ? mdns_mem_strndup(search->proto, MDNS_NAME_BUF_LEN - 1) : NULL;
50235033
q->domain = MDNS_DEFAULT_DOMAIN;
5024-
q->own_dynamic_memory = false;
5034+
q->own_dynamic_memory = true;
50255035
queueToEnd(mdns_out_question_t, packet->questions, q);
50265036

50275037
if (search->type == MDNS_TYPE_PTR) {

0 commit comments

Comments
 (0)