Skip to content
GitLab
Closed
Issue created by Ghost User@ghost

BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c'

Summary

Hello, while reviewing code in BIND 9.14.5, in directory 'contrib/dlz/modules/mysqldyn' file 'dlz_mysqldyn_mod.c', I found missing sanity checks for memory allocations starting at approximately line 1298 in function 'dlz_newversion' which are not checked for a return value of NULL, indicating failure...additionally, more memory allocations are done in the same way, and in the event of failure, previous allocations are not released prior to returning with a value of 'ISC_R_NOMEMORY'.

BIND version used

BIND version is 9.14.5

Steps to reproduce

N/A - bug is in software

What is the current bug behavior?

If bug is triggered, software could abort with 'segmentation fault (core dumped)'

What is the expected correct behavior?

Software should check all requests for memory allocation to ensure they were properly allocated (the attached patch file does this) 'diff -u' format.

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

Possible fixes

Attaching file 'dlz_mysqldyn_mod.c.patch' to this report (diff -u) format

dlz_mysqldyn_mod.c.patch Here is the patch file in 'diff -u' format:

root@stargate:/usr/local/src/bind-9.14.5/contrib/dlz/modules/mysqldyn# diff -u dlz_mysqldyn_mod.c.orig dlz_mysqldyn_mod.c     
--- dlz_mysqldyn_mod.c.orig     2019-09-03 17:43:41.826419700 -0700
+++ dlz_mysqldyn_mod.c  2019-09-03 17:50:52.887392600 -0700
@@ -1298,8 +1298,19 @@
         */
        newtx = (mysql_transaction_t *)
                malloc(sizeof(mysql_transaction_t));
+       if (newtx == NULL) /* check to see if memory was actually allocated */
+               return (ISC_R_NOMEMORY);
        newtx->zone = strdup(zone);
+       if (newtx->zone == NULL) { /* check to see if memory was actually allocated */
+               free(newtx);               /* free previously allocated memory */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->zone_id = strdup(zone_id);
+       if (newtx->zone_id == NULL) { /* check to see if memory was actually allocated */
+               free(newtx_zone);                 /* free previous allocation made */
+               free(newtx);                      /* free initial allocation */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->dbi = get_dbi(state);
        newtx->next = NULL;
Edited by Mark Andrews