Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 573
    • Issues 573
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 108
    • Merge requests 108
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #1207
Closed
Open
Issue created Sep 04, 2019 by Ghost User@ghost

BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c'

Summary

Hello, while reviewing code in BIND 9.14.5, in directory 'contrib/dlz/modules/mysqldyn' file 'dlz_mysqldyn_mod.c', I found missing sanity checks for memory allocations starting at approximately line 1298 in function 'dlz_newversion' which are not checked for a return value of NULL, indicating failure...additionally, more memory allocations are done in the same way, and in the event of failure, previous allocations are not released prior to returning with a value of 'ISC_R_NOMEMORY'.

BIND version used

BIND version is 9.14.5

Steps to reproduce

N/A - bug is in software

What is the current bug behavior?

If bug is triggered, software could abort with 'segmentation fault (core dumped)'

What is the expected correct behavior?

Software should check all requests for memory allocation to ensure they were properly allocated (the attached patch file does this) 'diff -u' format.

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

Possible fixes

Attaching file 'dlz_mysqldyn_mod.c.patch' to this report (diff -u) format

dlz_mysqldyn_mod.c.patch Here is the patch file in 'diff -u' format:

root@stargate:/usr/local/src/bind-9.14.5/contrib/dlz/modules/mysqldyn# diff -u dlz_mysqldyn_mod.c.orig dlz_mysqldyn_mod.c     
--- dlz_mysqldyn_mod.c.orig     2019-09-03 17:43:41.826419700 -0700
+++ dlz_mysqldyn_mod.c  2019-09-03 17:50:52.887392600 -0700
@@ -1298,8 +1298,19 @@
         */
        newtx = (mysql_transaction_t *)
                malloc(sizeof(mysql_transaction_t));
+       if (newtx == NULL) /* check to see if memory was actually allocated */
+               return (ISC_R_NOMEMORY);
        newtx->zone = strdup(zone);
+       if (newtx->zone == NULL) { /* check to see if memory was actually allocated */
+               free(newtx);               /* free previously allocated memory */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->zone_id = strdup(zone_id);
+       if (newtx->zone_id == NULL) { /* check to see if memory was actually allocated */
+               free(newtx_zone);                 /* free previous allocation made */
+               free(newtx);                      /* free initial allocation */
+               return (ISC_R_NOMEMORY);
+       }
        newtx->dbi = get_dbi(state);
        newtx->next = NULL;
Edited Sep 04, 2019 by Mark Andrews
Assignee
Assign to
Time tracking