From 7deb24a6ae65dc2f19a25c9f01e1df4f772f5db6 Mon Sep 17 00:00:00 2001 From: Bill Paul Date: Sun, 27 Jul 1997 03:41:53 +0000 Subject: [PATCH] Fix a bug in the async DNS resolver that can crash ypserv. yp_prune_dnsq() is not sane: if the TTL on a pending but unanswered query hits 0 and the circular queue entry is removed and free()d, the for() loop may still try to use the entry pointer (which now points at no longer valid memory). usually, deleting only the last entry off the end of the queue worked, but if more than one was deleted, the server would crash. I changed things a bit so this shouldn't happen anymore. Also arranged to call the prune routine a bit more often. --- usr.sbin/ypserv/yp_dnslookup.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/usr.sbin/ypserv/yp_dnslookup.c b/usr.sbin/ypserv/yp_dnslookup.c index a9415d7dd067..e330e156a7b5 100644 --- a/usr.sbin/ypserv/yp_dnslookup.c +++ b/usr.sbin/ypserv/yp_dnslookup.c @@ -29,7 +29,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id$ + * $Id: yp_dnslookup.c,v 1.10 1997/02/22 16:15:10 peter Exp $ */ /* @@ -65,7 +65,7 @@ #include "yp_extern.h" #ifndef lint -static const char rcsid[] = "$Id$"; +static const char rcsid[] = "$Id: yp_dnslookup.c,v 1.10 1997/02/22 16:15:10 peter Exp $"; #endif static char *parse(hp) @@ -315,16 +315,19 @@ static void yp_send_dns_reply(q, buf) */ void yp_prune_dnsq() { - register struct circleq_dnsentry *q; + register struct circleq_dnsentry *q, *n; - for (q = qhead.cqh_first; q != (void *)&qhead; q = q->links.cqe_next) { + q = qhead.cqh_first; + while(q != (void *)&qhead) { q->ttl--; + n = q->links.cqe_next; if (!q->ttl) { CIRCLEQ_REMOVE(&qhead, q, links); free(q->name); free(q); pending--; } + q = n; } if (pending < 0) @@ -470,6 +473,7 @@ ypstat yp_async_lookup_name(rqstp, name) if (debug) yp_error("Queueing async DNS name lookup (%d)", q->id); + yp_prune_dnsq(); return(YP_TRUE); } @@ -534,5 +538,6 @@ ypstat yp_async_lookup_addr(rqstp, addr) if (debug) yp_error("Queueing async DNS address lookup (%d)", q->id); + yp_prune_dnsq(); return(YP_TRUE); }