Changeset 56826 in vbox

Timestamp:

Jul 6, 2015 5:07:36 PM (9 years ago)

Author:

vboxsync

Message:

NAT: dnsproxy_answer: make sure the answer is really for our query, to
enforce socket/query correspondence.

File:

• trunk/src/VBox/Devices/Network/slirp/dnsproxy/dnsproxy.c (modified) (2 diffs)

trunk/src/VBox/Devices/Network/slirp/dnsproxy/dnsproxy.c

@@ -535 +535 @@
     }
 
+    /* find corresponding query (XXX: but see below) */
     query = hash_find_request(pData, *((unsigned short *)buf));
 
-    /* find corresponding query */
     if (query == NULL)
     {
@@ -548 +548 @@
         return;
     }
+
+    /*
+     * XXX: The whole hash thing is pretty meaningless right now since
+     * we use a separate socket for each request, so we already know
+     * the answer.
+     *
+     * If the answer is not what we expect it to be, then it's
+     * probably a stray or malicious reply and we'd better not free a
+     * query owned by some other socket - that would cause
+     * use-after-free later on.
+     */
+    if (query != so->so_timeout_arg)
+        return;
 
     so->so_timeout = NULL;