BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c' (#1207) · Issues · ISC Open Source Projects / BIND

BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c'

Summary

Hello, while reviewing code in BIND 9.14.5, in directory 'contrib/dlz/modules/mysqldyn' file 'dlz_mysqldyn_mod.c', I found missing sanity checks for memory allocations starting at approximately line 1298 in function 'dlz_newversion' which are not checked for a return value of NULL, indicating failure...additionally, more memory allocations are done in the same way, and in the event of failure, previous allocations are not released prior to returning with a value of 'ISC_R_NOMEMORY'.

BIND version used

BIND version is 9.14.5

Steps to reproduce

N/A - bug is in software

What is the current bug behavior?

If bug is triggered, software could abort with 'segmentation fault (core dumped)'

What is the expected correct behavior?

Software should check all requests for memory allocation to ensure they were properly allocated (the attached patch file does this) 'diff -u' format.

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

Possible fixes

Attaching file 'dlz_mysqldyn_mod.c.patch' to this report (diff -u) format

dlz_mysqldyn_mod.c.patch Here is the patch file in 'diff -u' format:

root@stargate:/usr/local/src/bind-9.14.5/contrib/dlz/modules/mysqldyn# diff -u dlz_mysqldyn_mod.c.orig dlz_mysqldyn_mod.c     
--- dlz_mysqldyn_mod.c.orig     2019-09-03 17:43:41.826419700 -0700
+++ dlz_mysqldyn_mod.c  2019-09-03 17:50:52.887392600 -0700
@@ -1298,8 +1298,19 @@
         */
        newtx = (mysql_transaction_t *)
                malloc(sizeof(mysql_transaction_t));
+       if (newtx == NULL) /* check to see if memory was actually allocated */
+               return (ISC_R_NOMEMORY);
        newtx->zone = strdup(zone);
+       if (newtx->zone == NULL) { /* check to see if memory was actually allocated */
+               free(newtx);               /* free previously allocated memory */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->zone_id = strdup(zone_id);
+       if (newtx->zone_id == NULL) { /* check to see if memory was actually allocated */
+               free(newtx_zone);                 /* free previous allocation made */
+               free(newtx);                      /* free initial allocation */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->dbi = get_dbi(state);
        newtx->next = NULL;

### Summary

Hello, while reviewing code in BIND 9.14.5, in directory 'contrib/dlz/modules/mysqldyn'
file 'dlz_mysqldyn_mod.c', I found missing sanity checks for memory allocations starting
at approximately line 1298 in function 'dlz_newversion' which are not checked for a
return value of NULL, indicating failure...additionally, more memory allocations are
done in the same way, and in the event of failure, previous allocations are not released
prior to returning with a value of 'ISC_R_NOMEMORY'.

### BIND version used

BIND version is 9.14.5

### Steps to reproduce

N/A - bug is in software

### What is the current *bug* behavior?

If bug is triggered, software could abort with 'segmentation fault (core dumped)'

### What is the expected *correct* behavior?

Software should check all requests for memory allocation to ensure they were properly
allocated (the attached patch file does this) 'diff -u' format.

### Relevant configuration files

N/A

### Relevant logs and/or screenshots

N/A

### Possible fixes

Attaching file 'dlz_mysqldyn_mod.c.patch' to this report (diff -u) format

[dlz_mysqldyn_mod.c.patch](/uploads/a58c450eeba022b25a31ee2fd2887cf2/dlz_mysqldyn_mod.c.patch)
Here is the patch file in 'diff -u' format:

```
root@stargate:/usr/local/src/bind-9.14.5/contrib/dlz/modules/mysqldyn# diff -u dlz_mysqldyn_mod.c.orig dlz_mysqldyn_mod.c     
--- dlz_mysqldyn_mod.c.orig     2019-09-03 17:43:41.826419700 -0700
+++ dlz_mysqldyn_mod.c  2019-09-03 17:50:52.887392600 -0700
@@ -1298,8 +1298,19 @@
         */
        newtx = (mysql_transaction_t *)
                malloc(sizeof(mysql_transaction_t));
+       if (newtx == NULL) /* check to see if memory was actually allocated */
+               return (ISC_R_NOMEMORY);
        newtx->zone = strdup(zone);
+       if (newtx->zone == NULL) { /* check to see if memory was actually allocated */
+               free(newtx);               /* free previously allocated memory */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->zone_id = strdup(zone_id);
+       if (newtx->zone_id == NULL) { /* check to see if memory was actually allocated */
+               free(newtx_zone);                 /* free previous allocation made */
+               free(newtx);                      /* free initial allocation */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->dbi = get_dbi(state);
        newtx->next = NULL;
```

Edited Sep 04, 2019 by Mark Andrews

To upload designs, you'll need to enable LFS. More information