Fix heap-use-after-free in rb_getaddrinfo (#13856)

shioimm · web-flow · commit 0058bee57eb9 · 2025-07-11T14:47:18.000+09:00
This change addresses the following ASAN error: ``` ==1973462==ERROR: AddressSanitizer: heap-use-after-free on address 0x5110002117dc at pc 0x749c307c8a65 bp 0x7ffc3af331d0 sp 0x7ffc3af331c8 READ of size 4 at 0x5110002117dc thread T0 #0 0x749c307c8a64 in rb_getaddrinfo /tmp/ruby/src/trunk_asan/ext/socket/raddrinfo.c:564:14 #1 0x749c307c8a64 in rsock_getaddrinfo /tmp/ruby/src/trunk_asan/ext/socket/raddrinfo.c:1008:21 #2 0x749c307cac48 in rsock_addrinfo /tmp/ruby/src/trunk_asan/ext/socket/raddrinfo.c:1049:12 #3 0x749c307b10ae in init_inetsock_internal /tmp/ruby/src/trunk_asan/ext/socket/ipsocket.c:62:23 #4 0x562c5b2e327e in rb_ensure /tmp/ruby/src/trunk_asan/eval.c:1080:18 #5 0x749c307aafd4 in rsock_init_inetsock /tmp/ruby/src/trunk_asan/ext/socket/ipsocket.c:1318:12 #6 0x749c307b3b78 in tcp_svr_init /tmp/ruby/src/trunk_asan/ext/socket/tcpserver.c:39:12 ``` Fixed to avoid accessing memory that has already been freed after calling `free_getaddrinfo_arg`.
diff --git a/ext/socket/raddrinfo.c b/ext/socket/raddrinfo.c
@@ -517,7 +517,7 @@ rb_getaddrinfo(const char *hostp, const char *portp, const struct addrinfo *hint
 {
     int retry;
     struct getaddrinfo_arg *arg;
-    int err = 0, gai_errno = 0;
+    int err = 0, gai_errno = 0, timedout = 0;
 
 start:
     retry = 0;
@@ -548,6 +548,7 @@ rb_getaddrinfo(const char *hostp, const char *portp, const struct addrinfo *hint
         }
         else if (arg->cancelled) {
             retry = 1;
+            timedout = arg->timedout;
         }
         else {
             // If already interrupted, rb_thread_call_without_gvl2 may return without calling wait_getaddrinfo.
@@ -561,7 +562,7 @@ rb_getaddrinfo(const char *hostp, const char *portp, const struct addrinfo *hint
 
     if (need_free) free_getaddrinfo_arg(arg);
 
-    if (arg->timedout) {
+    if (timedout) {
         VALUE errno_module = rb_const_get(rb_cObject, rb_intern("Errno"));
         VALUE etimedout_error = rb_const_get(errno_module, rb_intern("ETIMEDOUT"));
         rb_raise(etimedout_error, "user specified timeout");
