resolv: Always set *resplen2 out parameter in send_vc [BZ #19825]

In various error scenarios (for example, if the server closes the TCP connection before sending the full response), send_vc can return without resetting the *resplen2 value. This can pass uninitialized or unexpected data to the caller.
2025-07-29 11:41:21 +03:00 · 2016-04-27 14:26:47 +02:00
parent b06549a5e6
commit b9bdfa7c8f
2 changed files with 25 additions and 21 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
 2016-04-27  Florian Weimer  <fweimer@redhat.com>
 	[BZ #19825]
 	* resolv/res_send.c (send_vc): Remove early *resplen2
 	initialization.  Set *resplen2 on socket error.  Call
 	close_and_return_error for other errors.
 2016-04-27  Stefan Liebler  <stli@linux.vnet.ibm.com>
 	* sysdeps/unix/sysv/linux/netiucv/iucv.h
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@ -762,8 +762,6 @@ send_vc(res_state statp,
 	u_short len2;
 	u_char *cp;
 	if (resplen2 != NULL)
 	  *resplen2 = 0;
 	connreset = 0;
 same_ns:
 	truncating = 0;
@ -789,6 +787,8 @@ send_vc(res_state statp,
 		if (statp->_vcsock < 0) {
 			*terrno = errno;
 			Perror(statp, stderr, "socket(vc)", errno);
 			if (resplen2 != NULL)
 			  *resplen2 = 0;
 			return (-1);
 		}
 		__set_errno (0);
@ -798,8 +798,7 @@ send_vc(res_state statp,
 			    : sizeof (struct sockaddr_in6)) < 0) {
 			*terrno = errno;
 			Aerror(statp, stderr, "connect/vc", errno, nsap);
-			__res_iclose(statp, false);
+			return close_and_return_error (statp, resplen2);
 			return (0);
 		}
 		statp->_flags |= RES_F_VC;
 	}
@ -822,8 +821,7 @@ send_vc(res_state statp,
 	if (TEMP_FAILURE_RETRY (writev(statp->_vcsock, iov, niov)) != explen) {
 		*terrno = errno;
 		Perror(statp, stderr, "write failed", errno);
-		__res_iclose(statp, false);
+		return close_and_return_error (statp, resplen2);
 		return (0);
 	}
 	/*
 	 * Receive length & response
@ -845,7 +843,6 @@ send_vc(res_state statp,
 	if (n <= 0) {
 		*terrno = errno;
 		Perror(statp, stderr, "read failed", errno);
 		__res_iclose(statp, false);
 		/*
 		 * A long running process might get its TCP
 		 * connection reset if the remote server was
@ -855,11 +852,13 @@ send_vc(res_state statp,
 		 * instead of failing.  We only allow one reset
 		 * per query to prevent looping.
 		 */
-		if (*terrno == ECONNRESET && !connreset) {
+		if (*terrno == ECONNRESET && !connreset)
 		  {
 		    __res_iclose (statp, false);
 		    connreset = 1;
 		    goto same_ns;
 		  }
-		return (0);
+		return close_and_return_error (statp, resplen2);
 	}
 	int rlen = ntohs (rlen16);
@ -891,10 +890,10 @@ send_vc(res_state statp,
 			/* Always allocate MAXPACKET, callers expect
 			   this specific size.  */
 			u_char *newp = malloc (MAXPACKET);
-			if (newp == NULL) {
+			if (newp == NULL)
 			  {
 			    *terrno = ENOMEM;
-				__res_iclose(statp, false);
+			    return close_and_return_error (statp, resplen2);
 				return (0);
 			  }
 			*thisanssizp = MAXPACKET;
 			*thisansp = newp;
@ -922,8 +921,7 @@ send_vc(res_state statp,
 		Dprint(statp->options & RES_DEBUG,
 		       (stdout, ";; undersized: %d\n", len));
 		*terrno = EMSGSIZE;
-		__res_iclose(statp, false);
+		return close_and_return_error (statp, resplen2);
 		return (0);
 	}
 	cp = *thisansp;
@ -934,8 +932,7 @@ send_vc(res_state statp,
 	if (__glibc_unlikely (n <= 0))       {
 		*terrno = errno;
 		Perror(statp, stderr, "read(vc)", errno);
-		__res_iclose(statp, false);
+		return close_and_return_error (statp, resplen2);
 		return (0);
 	}
 	if (__glibc_unlikely (truncating))       {
 		/*